Spyware via Firefox? It’s true.
Last weekend I passed along sketchy details of a news report that claimed spyware purveyors have found a way to get to Windows users even when they use Firefox as their primary browser. I’ve now had a chance to test this claim and I can report that it’s true.
The original article included enough details to help me track down the seemingly legitimate Web site that’s distributing this stuff. Like so many of these sites, it offers content designed to attract young people – in this case, a library of song lyrics. I visited the site using both Internet Explorer and Firefox. The results were surprising.
For my first visit, I used Internet Explorer on a computer running Windows XP SP2. As expected, the site tried to install a downloader packaged as an ActiveX control. The page also contained a script to pop up two dialog boxes that deceptively claimed I needed to click Yes to continue.
Of course, this dialog box makes no sense on a computer running Windows XP with SP2. There’s no Yes button to click, because the Information Bar blocks the ActiveX dialog box. So, for its next bit of social engineering, the page included instructions designed to walk me, the unsuspecting user, through the process of bypassing the SP2 security controls and installing this Trojan on my computer. But it wasn’t able to put an Install button in my face
Click image to enlarge.
“But I’m safe,” you say. “I use Firefox, so I don’t have to worry about this stuff.”
Think again. You’re about to get slammed by a crapware vendor who has figured out how to sucker-punch Firefox users. In fact, to add insult to injury, the center of the page includes this ad, complete with affiliate code, to help you install Firefox.
Click image to enlarge.
So what happens when you visit this page with Firefox?
On my test computer, I had a fresh installation of Firefox, so I was prompted to install Java. The Firefox Information bar (which closely resembles the equivalent feature in Internet Explorer) displayed the message “Additional plugins are required to display all the media on this page.” I clicked the Install Missing Plugins button, and the Firefox “Plugin Finder Service” displayed a dialog box that offered to install the Java Runtime Environment. This certainly looked safe, so I clicked Next and allowed Firefox to download and install the code for me. It popped up this license agreement along the way and generally behaved just like any other program.
Click image to enlarge.
This installation was completely safe. The Java program is useful and, in fact, is required for a number of popular sites. It did nothing out of the ordinary or suspicious. So, after restarting my computer, I returned to the Web page where I began, and this time I was greeted with a Security dialog box.
Click image to enlarge.
This is confusing. As an unsuspecting user, I’m not really sure what a “security certificate” is. The dialog box is different, but I just installed another program with a complicated dialog box and it seemed safe enough, so I guess it’s probably OK to install this one too. Hmmm, maybe I should click the More Details button first, just to see what’s there.
Click image to enlarge.
That’s not very helpful, is it? Oh well, might as well install it. How much harm could it do? After all, the Get Firefox page has a big bold quote from USA Today that says “Beware of spyware. If you can, use the Firefox browser.” And the Get Firefox page itself says “Built with your security in mind, Firefox keeps your computer safe from malicious spyware…”
So I clicked Yes. And then … nothing. A single line of text appeared in the lower left corner of the Firefox window, alerting me that the Installer Applet was running. But I saw no dialog boxes, no pop-ups, no obvious signs of anything untoward happening. Much ado about nothing? Not exactly.
After closing the browser window, I installed the Microsoft Anti-Spyware beta (which I had downloaded earlier). After updating to the latest signature files, I let it do a scan. And look what turned up.
Click image to enlarge.
Three nasty-sounding programs are now running on this computer. One of them has already begun serving up large X-rated pop-ups. And worst of all, the original Trojan horse program, which downloaded those three programs, is still there. Presumably it will begin downloading additional software shortly.
Lessons learned:
- Spyware dealers are sneaky. Their goal is to put a dialog box in your face and convince you to click Yes. They’re successful way too often.
- Antivirus software can protect you. Trend Micro’s PC-Cillin correctly identified the original Trojan and blocked it on a computer in my lab. F-Secure detects this Trojan as as Java.OpenStream.T and blocks it as well.
- Even an expert can be fooled. Alex Eckelberry of Sunbelt Software, a maker of anti-spyware software, says, “[O]ur own researcher working on this project (no stranger to spyware) inadvertently loaded a piece of 180 Solutions adware… This is the real problem with spyware. People click on things and that lands them into trouble.”
- Simply being careful isn’t enough. You can land on a site offering this sort of crap by typing a URL wrong or clicking on a perfectly normal link in a page full of Google search results.
- Simply switching browsers isn’t enough. This all happened through Firefox, remember?
- It could happen on a Mac or Linux computer. As F-Secure notes: “The trojan works just because the trojan author did not use any Microsoft specific code. Thus making the trojan portable to other platforms. And yes, the trojan will most likely also work under Linux, but it won’t do really anything there as it tries to download and execute Win32 EXE trojan.” For now, that is. Consider this a proof of concept – this code could easily be modified to run on a Mac and download a Mac-specific Trojan or dialer.
- Novices can be overwhelmed by permission dialog boxes. Remember the Java dialog box that I showed earlier? Here’s an example of what you’ll see when you’re prompted to load a legitimate Java program. Go ask a non-techie friend or neighbor if they can tell the difference.
Click image to enlarge.
Was I stupid to click Yes? Perhaps. But as Alex Eckelberry correctly notes: “People click on things.” Even after they’ve been told to be careful. Even when the wording should make them suspicious. In fact, most untrained computer users have a hard time distinguishing between good and bad software. If they’re burned often enough, they eventually start clicking No to everything – including security patches. Which only makes the problem worse.
21 Responses to Spyware via Firefox? It’s true.
I don’t think anyone who understands how malware works would argue that firefox solves the problem in general. I do think IE is MUCH more prone to be a problem, whether by poor programming or just being the biggest in the market doesn’t really matter to the poor users. I guess we’ll find out if Firefox ever equals its market share — let’s all try it!
It is interesting that the Sun site claims that this was only possible using the Microsoft VM — was the author using that VM? It wouldn’t likely have come with Firefox, so I guess it would have had to be on his machine already.
I, for one, am more in favor of user education than trying to disable anything that might be a problem. After all, phising scams and email attachments are STILL there, we can’t plug all the holes if the users insist on “just clicking on things”.
Disclaimer: I’m a 30-year veteran of the programming industry, and just got caught by a usenet message purporting to hold the group’s new charter in an HTML file that turned out to automatically download an EXE, so I just got done running a 2-hour scan on the machine to see if it got anything on here. And found this trojan-loader on the machine in places where it’s already been! Fortunately I refuse to run MS’s so-called Java VM, so that may have saved me. I refuse to run IE, also.
rc