The Mozilla Firefox browser is constantly gaining in popularity. A recent market share survey by Net Applications awards Firefox with 24% of users worldwide. One of the key philosophies of Firefox is that its functionality can easily be extended using plug-ins or extensions. According to the Mozilla foundation there are more than 12,000 extensions available and they have recorded more than 1 billion extension downloads so far. Quite an irresistible target for a malware author, don’t you think?
This is by no means a new phenomenon, nor a Firefox-centric one. Browser helper objects (BHOs) in Microsoft’s Internet Explorer have been misused by attackers for years, and we saw malicious Firefox extensions appear more than three years ago. But, we have recently observed an increase in malware that drops malicious BHOs, Firefox extensions, and even Opera user scripts—all this in order to maximize their impact on a user’s machine. Trojan.Ransompage is a good example of such a threat targeting three browsers at once.
Even though it is often the case that people get tricked into installing malicious extensions unsolicited, most of the time we see that malicious extensions are dropped by local malware. This is not the fault of the browser per se, it' s just that the malware authors are misusing all of the provided features and a browser is present on nearly every system nowadays. Furthermore, all of the interesting information (such as credit card numbers or passwords) is usually entered through the browser, so it’s a perfect playing field for attackers.
In Firefox there is the possibility to drop an extension as a raw component directly into the core folders of Firefox. This means that the component is loaded invisibly for the user. The user has no facility to disable or uninstall it from within the browser, let alone knowing that it is there in the first place. This is obviously not nice, since even legitimate add-ons might crash the browser from time to time. If the add-ons are installed invisibly, the user has no chance of linking them to that behavior or disabling them. The malicious extensions are obviously also a fan of these stealth methods because it provides them with a relatively safe hooking point into the browser.
To solve this issue, the Mozilla developers have now decided to remove this capability and only load their own core components in Firefox 3.6 and beyond. This should prevent malicious add-ons from using this method in the future, but unfortunately this is not the only trick they can use.
If you want to know more on this topic—malware that uses Firefox extensions—you can read the whitepaper (.pdf) that I co-wrote with Elia Florio.