Mozilla Firefox trojan hacks browser to store passwords

According to Webroot, which says it has discovered the malware in the wild, the Trojan-PWS-Nslogm code is capable of stealing usernames and passwords stored by Firefox and, thanks to a code interrogation routine, Internet Explorer on the user's PC.

In a security blog posting by Andrew Brandt, a security researcher with the firm, he says that, whenever Firefox detects that login credentials are being submitted through a web form, the browser applications remember them for future use.

Brandt says his research team have discovered that the trojan patches a file named nsLoginManagerPrompter.js, adding some extra lines of code to dictate whether Firefox prompts the user to save passwords when s/he logs into a secure site.

"Before the infection, a default installation of Firefox 3.6.10 would prompt the user after the user clicks the log-in button on web page, asking whether he or she wants to save the password. After the infection, the browser simply saves all login credentials locally, and doesn't prompt the user", he said.

For the technically minded, the keylogging trojan is reported to copy itself to the system32 directory with the filename Kernel.exe; dropping and registers an old, benign, deprecated ActiveX control called the Microsoft Internet Transfer Control DLL, or msinet.ocx.

The trojan then uses the DLL to communicate with its command and control server; then it creates a new user account on the infected computer.

"The trojan then scrapes information from the registry, from the so-called protected storage area used by IE to store passwords, and from Firefox's own password storage, and tries to pass the stolen information onward, once per minute", said the Webroot researcher.

Unfortunately, Brandt says that, by the time his research colleagues started researching the file by hand, the web domain the Trojan tries to contact had been shut down.

Despite this, Webroot says it tracked down the trojan's author via his Facebook profile and discovered the hacker lives in the city of Karaj in Iran.

Brandt says that, if you are infected by the malware, you should download the latest Firefox installer and install it over the top of your existing installation.

"You won't lose any bookmarks or add-ons, and the installer will just overwrite the modified nsLoginManagerPrompter.js file", he said.

What’s hot on Infosecurity Magazine?