Patchy Phisher Forces Firefox to Forego Forgetting Passwords

By Andrew Brandt

Every browser can, at the user’s discretion, be set up to remember passwords. In general, Webroot advises most users not to set the browser to store login credentials, because they’re so easily extracted by password-stealing Trojans like Zbot. In Firefox, for example, you can click Tools, Options, then open the Security tab, and uncheck a box that tells the browser to remember passwords entered into Web forms. (The box is checked by default.)

But in the course of taking a more thorough look at a Trojan that came to our attention in July, we were surprised to see the Trojan modify a core Firefox file. Upon closer inspection, the Trojan patches a file named nsLoginManagerPrompter.js. The patch adds a few lines of code (displayed above), and comments-out other portions of code, that dictate whether Firefox prompts the user to save passwords when he or she logs into a secure site.

Before the infection, a default installation of Firefox 3.6.10 would prompt the user after the user clicks the Log In button on a Web page, asking whether he or she wants to save the password. After the infection, the browser simply saves all login credentials locally, and doesn’t prompt the user.

The keylogging Trojan copies itself to the system32 directory with the filename Kernel.exe; drops and registers an old, benign, deprecated ActiveX control called the Microsoft Internet Transfer Control DLL, or msinet.ocx (MD5: 7BEC181A21753498B6BD001C42A42722), which it uses to communicate with its command and control server; then it creates a new user account (username: Maestro) on the infected system.

The Trojan then scrapes information from the registry, from the so-called Protected Storage area used by IE to store passwords, and from Firefox’s own password storage, and tries to pass the stolen information onward, once per minute.

By the time we started researching the file by hand, the Web domain the Trojan tries to contact had been shut down. But there was a lot of other juicy information inside the Trojan.

For example, take a look at the following string embedded inside:

Well, pleased to meet you, Salar “Salixem” Zeynali. It’s not often you see a malware author taking credit for his creation using his real name. They’re usually a little smarter than that.

It didn’t take much effort to track down the author’s Facebook profile — he posts a link to it in his message board profile.

His Facebook profile indicates he lives in Karaj, Iran; He sports an emo haircut, and likes heavy metal music and programming. And, apparently, Zeynali writes crimeware for fun, because he doesn’t sell his keylogger. He offers a keylogger creator tool as a free download from the message board he hangs out on. Here’s a short list of some of the features included in one version.

Unfortunately, there are a lot of people who frequent the same message board Zeynali uses to post his keylogger code, and some of those people have clearly been using the keylogger creator tool Zeynali built to create and distribute Trojans. But there’s some good news: We’re able to easily identify and remove the Trojan (we call it Trojan-PWS-Nslog) from infected machines.

One thing that we, nor any other AV company, can do is fix the modified Firefox file. However, there’s an easy fix for that as well: Simply download the latest Firefox installer and install it over the top of your existing installation. You won’t lose any bookmarks or add-ons, and the installer will just overwrite the modified nsLoginManagerPrompter.js file. Problem solved.

22 thoughts on “Patchy Phisher Forces Firefox to Forego Forgetting Passwords

  1. Pingback: Patchy Phisher Forces Firefox to Forego Forgetting Passwords - Donna's SecurityFlash

  2. Pingback: Plaats hier software gerelateerd nieuws! - Page 25

  3. Pingback: Trojan Forces Firefox to Save Your Passwords

  4. Pingback: PC World Philippines :: News and Trends :: Trojan Forces Firefox to Save Your Passwords

  5. Pingback: Neuer Trojaner PWS-Nslog für Firefox entdeckt « WEBLOGIT Web News, Tipps und Tricks für erfolgreiche Blogger und Selbständige. We Blog It!

  6. Pingback: Anonymous

  7. Pingback: Servizi Segreti Intelligence

  8. Pingback: Trojan forces Firefox to secretly store user login passwords « IT Security

  9. Pingback: Trojaner fuer Firefox unterwegs

  10. Pingback: New Trojan Forces Mozilla Firefox To Store Password For Later Retreival

  11. Pingback: تروجان يصيب الفايرفوكس

  12. Pingback: Trojan-PWS-Nslog – zwingt Nutzer zum Speichern des Passworts - Trojaner, Passwort, Programmierer, Trojaner-Designer, Mühe, Sache, Kombinationen, Denn - ITler.NET - Der Blog für ITler und Sysadmins

  13. Pingback: Trojan overrides Firefox password-saving behavior « Axxera Inc.

  14. Pingback: Firefox Trojan Steals User’s Passwords «

    • That scenario hasn’t been tested. Private browsing, as I understand, does not permit Firefox to store passwords under any circumstances and wipes out any cached data at the end of the session. I would not want to venture an assumption without having tested it, but it seems reasonable to assume that Private Browsing may be safer in cases where you don’t know whether the Firefox core components have been modified. That said, if you’re not sure, then just install Firefox over the top of itself, which wipes out the modified files and replaces them with files known to be good, legit copies.

  15. Pingback: Trojan forces Firefox to secretly store passwords |

  16. Pingback: Firefox’taki kayıtlı şifrelerinizi çalan yeni bir truva atı

  17. Pingback: Firefox vă fură parolele cu ajutorul unui mic Troian | Catavencu

  18. Pingback: โทรจันแก้ไข Firefox ขโมย”พาสเวิร์ด” | ข่าว ข่าววันนี้ ข่าวรายวัน กีฬา บันเทิง ข่าวการเมือง ข่า

  19. Pingback: 10 Threats from 2010 We’d Prefer Remain History « Webroot Threat Blog

Join the Conversation

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s