In association with heise online

12 October 2010, 15:46

Trojan forces Firefox to secretly store passwords

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Zoom A few lines of code are enough for Firefox to automatically save entered passwords.
A trojan recently analysed by Webroot is said to rely on retrieving web page passwords from a browser's password storage, rather than logging a user's keyboard inputs. To make sure it will find all the interesting passwords in Firefox, the malware, called PWS-Nslog, makes some changes to jog the browser's memory. A few manipulations in a JavaScript file prompt Firefox to store log-in information automatically and without requesting the user's consent.

The malware will, for instance, simply comment out Firefox's confirmation request in the nsLoginManagerPrompter.js file and add a line with automatic storage instructions. The H's associates at heise Security were able to reproduce the effect of the manipulations – manipulations which the malware author probably borrowed from a work around that has been in circulation since 2009.

The manipulation works on all platforms on which the Trojan has the rights to modify the nsLoginManagerPrompter.js file. In tests this worked on Windows XP, Windows 7 and Ubuntu 10.04. However on Windows 7 and Ubuntu the user is usually working with limited privileges by default and under these circumstances the malware is unable to manipulate the file.

Usually, Firefox will ask a user whether to store password data; for security reasons, many users choose not to store passwords, because attackers will first check a browser's password storage and retrieve any data saved there. PWS-Nslog also attempts to retrieve data from the password storage of Internet Explorer and Firefox and send it to a server.

According to Webroot, the malware author didn't put any effort into covering his tracks, as the malware contains a name as well as a Gmail address. Furthermore, Webroot soon found the Facebook page of the allegedly Iranian developer who claims he develops crimeware for fun.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit