Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

BHO and XPCOM: Extensions Gone Wild

Created: 26 Jul 2006 07:00:00 GMT • Updated: 23 Jan 2014 18:58:24 GMT
Candid Wueest's picture
0 0 Votes
Login to vote

Mozilla’s Firefox browser is quite popular and it is often recommended when it comes to the question: What is a safe browser alternative? Unfortunately, this does not necessarily mean that you are not susceptible to browser attacks.

Microsoft Internet Explorer is often hijacked by malware that drops browser helper objects (BHO), which will then be loaded every time the user starts Microsoft Internet Explorer. The BHOs can then manipulate data that is sent to the Internet and (for example) steal passwords or monitor user habits. With the Cross Platform Component Object Model (XPCOM), something similar to a BHO exists on the Mozilla side. It is a framework for developers to create modules that access features of the Gecko engine. For example, Firefox extensions are written with XPCOM and can therefore integrate seamlessly into Firefox.

Of course, it shouldn’t be a big surprise that this technique can also be used with malicious intent. Unwanted extensions that we already have seen implemented as BHOs are also possible as extensions for Firefox. In March 2006 we found the first in-the-wild case with JS.Ffsniff, which is a JavaScript that uses XPConnect. XPConnect is an interface for JavaScript that allows transparent access to XPCOM objects. The threat is part of a browser extension; once installed, it will add itself as an event listener for all “form submit” events. When an infected user submits a Web form on a Web site, the threat will parse the site and steal all information that is submitted by the Web form, including passwords. The JS.Ffsniff script then sends this information to a predefined email address using XPCOM objects.

Nearly the same approach was used by the recently found threat named Infostealer.Snifula. Once run, this Trojan will install a malicious browser extension for all installed Mozilla-based browsers (including Firefox). This browser extension will then monitor all “submit” or “click” events on Web sites. If a Web form is about to be submitted, all content fields are grabbed by the Trojan and forwarded to its main process, which can then send the information to the remote attacker.

These examples show that no matter which browser you use, you should always make sure that you have the latest version with the latest patches installed. If you install additional browser extensions, then make sure that you download them from a trusted source. As we have elaborated in an earlier Weblog entry entitled “Threats from a Trusted Site”, it might not always be easy to define what a trusted site is, but that’s another issue in itself. With the steady increase of the number of Firefox users, I believe that we will, in turn, see the number of malicious extensions created for Firefox grow as well. Unfortunately, as soon as something becomes popular, it also becomes a popular target.