BHO and XPCOM: Extensions Gone Wild
Mozilla’s Firefox browser is quite popular and it is often recommended when it comes to the question: What is a safe browser alternative? Unfortunately, this does not necessarily mean that you are not susceptible to browser attacks.
Microsoft Internet Explorer is often hijacked by malware that drops browser helper objects (BHO), which will then be loaded every time the user starts Microsoft Internet Explorer. The BHOs can then manipulate data that is sent to the Internet and (for example) steal passwords or monitor user habits. With the Cross Platform Component Object Model (XPCOM), something similar to a BHO exists on the Mozilla side. It is a framework for developers to create modules that access features of the Gecko engine. For example, Firefox extensions are written with XPCOM and can therefore integrate seamlessly into Firefox.
Nearly the same approach was used by the recently found threat named Infostealer.Snifula. Once run, this Trojan will install a malicious browser extension for all installed Mozilla-based browsers (including Firefox). This browser extension will then monitor all “submit” or “click” events on Web sites. If a Web form is about to be submitted, all content fields are grabbed by the Trojan and forwarded to its main process, which can then send the information to the remote attacker.
These examples show that no matter which browser you use, you should always make sure that you have the latest version with the latest patches installed. If you install additional browser extensions, then make sure that you download them from a trusted source. As we have elaborated in an earlier Weblog entry entitled “Threats from a Trusted Site”, it might not always be easy to define what a trusted site is, but that’s another issue in itself. With the steady increase of the number of Firefox users, I believe that we will, in turn, see the number of malicious extensions created for Firefox grow as well. Unfortunately, as soon as something becomes popular, it also becomes a popular target.