A curious new information-stealing Trojan that patches a core Firefox file in order to override the browser’s behavior has been discovered by Webroot researchers.
Every Firefox user has seen at least once the following offer pop up when signing into an online service:
Savvy users know that making the browser remember the passwords is simply a bad idea because password-stealing Trojans can usually easily extract them from the browser’s password storage area, and they change their browser’s settings to make it not “remember” passwords by default.
But this Trojan changes the nsLoginManagerPrompter.js file that dictates this behavior – adds a few lines of code and invalidates a few more, so that when the user who has not effected the above mentioned settings changes logs into a Web site, the browser automatically stores the passwords without ever showing the aforementioned query.
“The keylogging Trojan copies itself to the system32 directory with the filename Kernel.exe; drops and registers an old, benign, deprecated ActiveX control called the Microsoft Internet Transfer Control DLL, or msinet.ocx, which it uses to communicate with its command and control server; then it creates a new user account (username: Maestro) on the infected system,” points out one of the researchers.
From then on, it is easy for the Trojan to collect the saved passwords and try to send them to the C&C server. But what is especially interesting about this Trojan is that it is “signed” – embedded in its code is the following string:
After a brief search, the researcher tied the e-mail address to one Salar “Salixem” Zeynali, an Iraninan malware author that writes it for fun. He actually doesn’t sell the keylogger in question, but the offers a tool for creating them on a message board for free.
Webroot researchers say that it is possible to detect the Trojan (which they called Trojan-PWS-Nslog) easily, but that no AV can restore the modified Firefox file. For that, you will have to install Firefox once again – preferably over the one you already have installed so that the patched file gets simply overwritten, and you don’t lose your bookmarks and add-ons.