[Project_owners] Malware spoofing Firefox extension

Stefan Hajnoczi stefanha at gmail.com
Fri Jul 28 00:37:10 EDT 2006

I have just been alerted that malware has been found[1] which installs
a trojaned version of numberedlinks, an extension I maintain here at

It seems to have been sent out in spam email with an EXE
attachment[2].  Alternatively, it was also spread via an Internet
Explorer exploit[3].

I have not been able to get my hands on a copy of the malware.
McAfee's profile and TechWeb[4] show it is a Windows trojan which
sends various sensitive information (sniffed ICQ, FTP, POP3, and IMAP
passwords, as well as form contents on web pages) to a compromised web

Slightly interesting, but not surprising, is the fact that the fake
extension is not "installed" via the GUI.  The files are placed
directly into the user's Firefox profile.

I have seen legitimate extension code which goes as far as patching up
Firefox chrome code at run-time.  I am surprised the malware authors
bothered to even use an extension or at least haven't "cloaked" it by
patching up relevant Firefox chrome code.

Obviously this incident could have affected any Firefox extension and
I have the feeling similar things will happen in the future.  The
question is how we can make it harder to abuse extensions.

Any suggestions how we can make life a little harder for these people?

Thanks to Martijn Weisbeek (MozBrowser.nl) for alerting me.


[1] http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=140256
[2] http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=140257
[3] http://vil.nai.com/vil/content/v_140256.htm
[4] http://www.techweb.com/wire/security/191101268

More information about the Project_owners mailing list