The malware, discovered by Webroot, modifies a core Firefox file, called nsLoginManagerPrompter.js, which controls whether Firefox prompts a user to save passwords when he or she logs into a secure site.
"Before the infection, a default installation of Firefox 3.6.10 would prompt the user after the user clicks the login button on a web page, asking whether he or she wants to save the password. After the infection, the browser simply saves all login credentials locally, and doesn’t prompt the user", Webroot researcher Andrew Brandt told The Register.
The key logging malware also creates a new user account on the infected system and scrapes information from Firefox’s password storage, before trying to upload the stolen data.
Matthew Bruun, security expert at VeriSign Authentication, advised Firefox users to employ a layered security strategy, such as two-factor authentication, to counter threats posed by this type of malware.
“Simple static passwords are not safe and can easily be guessed, stolen and sold, or in this case stored in the browser without the user knowing. Basic passwords can be strengthened through the use of two-factor authentication – something the user knows and something they have. When one element of a password is stolen, it doesn’t help the fraudster as they still need the second factor to access users accounts. Companies can set themselves apart in this difficult economic environment by protecting users’ digital identities and therefore improving consumer confidence online."