Firefox Trojan Steals User’s Passwords

Firefox Trojan Steals User's Logins

Firefox Trojan Steals User's Logins

Patchy Phisher Forces Firefox to Forego Forgetting Passwords
By Andrew Brandt

The patch adds a few lines of code, and comments-out other portions of code, that dictate whether Firefox prompts the user to save passwords when he or she logs into a secure site.

Before the infection, a default installation of Firefox 3.6.10 would prompt the user after the user clicks the Log In button on a Web page, asking whether he or she wants to save the password. After the infection, the browser simply saves all login credentials locally, and doesn’t prompt the user.

The keylogging Trojan copies itself to the system32 directory with the filename Kernel.exe; drops and registers an old, benign, deprecated ActiveX control called the Microsoft Internet Transfer Control DLL, or msinet.ocx (MD5: 7BEC181A21753498B6BD001C42A42722), which it uses to communicate with its command and control server; then it creates a new user account (username: Maestro) on the infected system.

• The webroot threat blog, who initially reported this several days ago, suggest installing the latest Firefox will fix the problem by overwriting the hijacked nsLoginManagerPrompter.js file.

Erm, until the next time one presumes?

• Download the latest version of Firefox here.