Malware has been found that can hijack Mozilla's Firefox Web browser and monitor submit-and-click events.
The trojan, called Infostealer.Snifula, or FormSpy, manifests as a Firefox extension after users execute the malicious email attachment dubbed Downloader-AXM.
Once downloaded from servers via Downloader-AXM, Formspy changes to the NumberedLinks 0.9 Firefox extension which allows users to browse using numbers rather than a mouse. Formspy then captures contents of form submission events including passwords and forwards them to its main process where it is sent to the remote attacker.
Mozilla Corporation technology strategist Mike Shaver said the use of e-mail as a medium exemplifies the need for user discretion in opening attachments.
"The recent Formspy Trojan, delivered via an executable file in a deceptive e-mail message, points again to the risk of installing or running software from an unknown source," Shaver said. "This malware manifests itself as a Firefox extension only after the user has already been compromised; it had its run of the system, leaving Firefox virtually in the same situation as if the entire operating system had turned against it."
"When an infected user submits a form on a Web site, [JS.Ffsniff] will parse the site and steal all information that is submitted by the Web form, including passwords," Wuest said. "The JS.Ffsniff script then sends this information to a predefined e-mail address using XPCOM objects."
Mozilla's Shaver said Firefox and Internet Explorer are not to blame for the vulnerability, pointing again to users trusting attachments from unknown e-mail sources.
"There exists a number of mechanisms for maliciously subverting programs once hostile code is executed, unfettered, by a trusting user," he said." Mozilla's XPCOM technology is not, as some observers have claimed, at fault here, just as Internet Explorer's Browser Helper Object system is not to blame for malicious BHOs that are installed by malware; [they] can unfortunately do little to protect the user from malware that reaches the system through other means."
Joji Hamada, Symantec senior security response manager, said the trojan has had a limited impact locally and recommended downloads from trusted sites only.
"Our intelligence indicates the threat has been noticed in Australia; however, the impact of the attack overall is minimal at this stage," Hamada said. "To protect themselves from this type of threats, users should ensure they only download software from reputable, trusted sites."
Wuest predicts the attacks will increase with the browser's popularity and recommended users install current browser patches.
"With the steady increase of the number of Firefox users we will see the number of malicious extensions created for Firefox grow," Wuest said. "Unfortunately, as soon as something becomes popular, it also becomes a popular target."