Tweet
Fake Virus Outbreak
F-Secure reported a fake virus outbreak alert designed to look like it came from Microsoft.
The message comes in with this header information:
Firefox Flaws
Mozilla.Org has announced 13 security flawstheir usual practice, researchers and hackers are hard at work developing exploits.
Top Threat: FormSpy
Executive Summary
Name: FormSpy
Affects: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
What it does: FormSpy is a malicious Firefox extension. It masquerades as version 0.9 of a legitimate open-source extension called numberedlinks. Specifically, it identifies itself as "Numbered Links 0.9." In fact, FormSpy is based on the source from that extension.
FormSpy is actually loaded indirectly through Downloader-AXM, a Trojan horse that is directly executed by the client. In the most recent attack it was mass-spammed as an attachment to a message purportedly from Walmart. Once loaded, it downloads and executes another attack, FormSpy in this case.
After FormSpy is executed, the extension registers Firefox event listeners to itself, which is not inherently abnormal behavior for an extension. It uses these to listen in on user communications, and forwards those communications on to a Web site. This could include passwords, credit card numbers and PINs, private correspondence, and so on.
How to avoid it: Be alert to installations of all extensions. Run antivirus software and keep it up to date.
How to remove it: It's best to use antivirus software to remove this attack.
F-Secure reported a fake virus outbreak alert designed to look like it came from Microsoft.
The message comes in with this header information:
- From: update@microsoft.com
Subject: Warning! New Virus On The Internet! Update Now!
Reply-To: update@microsoft.com
Date: Wed, 26 Jul 2006, 15:21:38 +0800 (CST)
Firefox Flaws
Mozilla.Org has announced 13 security flawstheir usual practice, researchers and hackers are hard at work developing exploits.
- MFSA 2006-56: chrome: scheme loading remote content
- MFSA 2006-55: Crashes with evidence of memory corruption (rv:1.8.0.5)
- MFSA 2006-54: XSS with XPCNativeWrapper(window).Function(...)
- MFSA 2006-53: UniversalBrowserRead privilege escalation
- MFSA 2006-52: PAC privilege escalation using Function.prototype.call
- MFSA 2006-51: Privilege escalation using named-functions and redefined "new Object()"
- MFSA 2006-50: JavaScript engine vulnerabilities
- MFSA 2006-49: Heap buffer overwrite on malformed VCard
- MFSA 2006-48: JavaScript new Function race condition
- MFSA 2006-47: Native DOM methods can be hijacked across domains
- MFSA 2006-46: Memory corruption with simultaneous events
- MFSA 2006-45: Javascript navigator Object Vulnerability
- MFSA 2006-44: Code execution through deleted frame reference
Top Threat: FormSpy
Executive Summary
Name: FormSpy
Affects: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
What it does: FormSpy is a malicious Firefox extension. It masquerades as version 0.9 of a legitimate open-source extension called numberedlinks. Specifically, it identifies itself as "Numbered Links 0.9." In fact, FormSpy is based on the source from that extension.
FormSpy is actually loaded indirectly through Downloader-AXM, a Trojan horse that is directly executed by the client. In the most recent attack it was mass-spammed as an attachment to a message purportedly from Walmart. Once loaded, it downloads and executes another attack, FormSpy in this case.
After FormSpy is executed, the extension registers Firefox event listeners to itself, which is not inherently abnormal behavior for an extension. It uses these to listen in on user communications, and forwards those communications on to a Web site. This could include passwords, credit card numbers and PINs, private correspondence, and so on.
How to avoid it: Be alert to installations of all extensions. Run antivirus software and keep it up to date.
How to remove it: It's best to use antivirus software to remove this attack.
Comment