Beware Firefox mal-extensions, warns Symantec

By Stephen Withers
Monday, 07 December 2009 09:49

Business IT - Security

Malware writers are taking advantage of a Firefox mechanism that allows extensions to be loaded invisibly to the user, Symantec has warned.

According to Symantec senior engineer Candid Wüest, the company has "recently observed an increase in malware that drops malicious BHOs, Firefox extensions, and even Opera user scripts... to maximize their impact on a user's machine."

One avenue that's taken is to drop the malicious extension directly into Firefox's components directory. This means it will be automatically loaded with the browser, but will not show up in the Add-ons window.

Consequently, users are unlikely to know that the extension has been added, or see a mechanism to remove it.

Wüest also noted that "all of the interesting information (such as credit card numbers or passwords) is usually entered through the browser, so it's a perfect playing field for attackers."

While access to the components directory will be denied in Firefox 3.6 (requiring the packaging of add-ons as XPI [cross platform installer] files and forcing them to appear in the Add-ons window), that won't rule out the possibility of malicious extensions - it will just make it harder to create a stealthy mal-extension.

Even if an extension does install in the conventional way, that doesn't mean it isn't malicious.

A paper [PDF, 1.4MB] co-authored by Wüest and Elia Florio of Italy's Data Protection Authority describes - among other things - a number of malicious extensions that carry out activities such as logging and forwarding all form submissions that include a password field, or forwarding all URLs visited.