AfterDawn: Tech news

Trojan forces Firefox to save web passwords

Written by James Delahunty (Google+) @ 09 Oct 2010 22:37 User comments (16)

Trojan forces Firefox to save web passwords Webroot is warning about a change that a Trojan makes to Firefox files that change the way the browser handles password information entered in forms on websites. Trojan-PWS-Nslog is found to modify a file used by Firefox (nsLoginManagerPrompter.js) in such a way that the browser simply saves all entered passwords and does not prompt a user anymore on whether or not it should.
Computer security firms generally advise against saving passwords in a web browser because they can so easily be retrieved either by a person physically using the browser or by malware installed on the computer. The keylogging Trojan, which copies itself as Kernel.exe to the system32 directory, creates a new user account on the machine in the background (Maestro).

It then retrieves information from the registry and saved passwords from Internet Explorer and Firefox. It attempts to send the stolen information to a server once per minute. The server is now actually offline, but the changes the malware makes to the Firefox browser file are not fixed by removal tools. Instead a user will have to re-install the Firefox browser to write a new copy of the file.

That's not the only interesting thing found with this trojan however. Embedded inside is an interesting string of text you wouldn't expect to see included with malware: "SaLiLoG keylogger server made by Salar Zeynali - Salixem@Gmail.com."

Webroot tracked down Zeynali's Facebook profile, where it says he is from Karaj, Iran. He writes crimeware just for fun. The "crimeware" is a keylogger creation tool he offers as a free download on a message forum he hangs out on. He also likes heavy metal music and sports a emo haircut by the way.

Previous Next  

16 user comments

19.10.2010 22:45

Quote:
"SaLiLoG keylogger server made by Salar Zeynali - Salixem@Gmail.com."
Hahaha, oh wow.

210.10.2010 0:50

LOL. Nice work id10t. Good thing I use linux and use Opera instead of FF.

310.10.2010 7:27

Originally posted by GryphB:
LOL. Nice work id10t. Good thing I use linux and use Opera instead of FF.
Me too. I have this file at:
/usr/lib64/xulrunner-1.9.2/components/nsLoginManagerPrompter.js

And let's see who owns it:
-rw-r--r-- 1 root root

So only root can touch/read/overwrite this file! So unless you're stupid enough to type the password in when an app says it needs root and you don't know why, you can rest assured this file is not tampered and cannot be tampered with, just like everything in /usr, /etc, etc.

410.10.2010 8:28

hahahaha lol

510.10.2010 8:42

Firefox should do away with the option to save passwords altogether.

610.10.2010 9:28

I see nothing wrong with saving passwords in the browser. It saves a lot of time and hassle imo. Besides the only way to get these trojans is by being stupid anyway. If your security measures (and good common sense) aren't enough to combat installing malware to your computer you deserve what you get. Also as far as other people using your passwords, saving passwords to the browser on a public machine is equally stupid.

710.10.2010 14:26

Originally posted by Blessedon:
Firefox should do away with the option to save passwords altogether.
You do know that all browsers get you the option to save passwords right?


810.10.2010 18:35
lissenup2
Inactive

Originally posted by Ryoohki:
I see nothing wrong with saving passwords in the browser. It saves a lot of time and hassle imo. Besides the only way to get these trojans is by being stupid anyway. If your security measures (and good common sense) aren't enough to combat installing malware to your computer you deserve what you get. Also as far as other people using your passwords, saving passwords to the browser on a public machine is equally stupid.
What??????????????????????????????????????????????

Did you just get a computer and start using it????????????????

Trojans can come from illicit websites and saving your PW is the DUMBEST F'ING THING ANYONE COULD DO. The laziness of not wanting to type your passwords is about as lazy as not wanting to wash your hands after dropping the kids off at the pool.

Your decision making privileges have been officially revoked.

910.10.2010 20:41

Originally posted by lissenup2:
What??????????????????????????????????????????????

Did you just get a computer and start using it????????????????

Trojans can come from illicit websites and saving your PW is the DUMBEST F'ING THING ANYONE COULD DO. The laziness of not wanting to type your passwords is about as lazy as not wanting to wash your hands after dropping the kids off at the pool.

Your decision making privileges have been officially revoked.

I'm afraid you miss the point of a password manager. One of their key purposes is to encourage strong, unique passwords, which are impossible to handle without some sort of password manager (or a photographic memory). Firefox's password manager also has an optional master password that encrypts your passwords so they can't be accessed without the master password.

A keylogger can retrieve your password whether you use a password manager or not. (In fact, it's actually more likely to nail you if you don't use a password manager, since you won't be using keystrokes with a password manager.) If you get a trojan, you're basically screwed either way, so don't get one in the first place.
This message has been edited since its posting. Latest edit was made on 10 Oct 2010 @ 20:42

1010.10.2010 21:34

Wait a second; answer me this:
Doesn't Informenter circumvent this Trojan, thus solving the problem?

1110.10.2010 22:07

Thanks for this article. It reminded me to check my computer again. And yes. I use the master password w/ FF. Although it can be stubborn to open sometimes. Would use Pclinux or Mint or something else but they get corrupted after updating and before I can learn enough to use them well.

1211.10.2010 1:05

Quote:
I'm afraid you miss the point of a password manager. One of their key purposes is to encourage strong, unique passwords, which are impossible to handle without some sort of password manager (or a photographic memory). Firefox's password manager also has an optional master password that encrypts your passwords so they can't be accessed without the master password.

A keylogger can retrieve your password whether you use a password manager or not. (In fact, it's actually more likely to nail you if you don't use a password manager, since you won't be using keystrokes with a password manager.) If you get a trojan, you're basically screwed either way, so don't get one in the first place.
lissenup2's status:
[ ] Untold
[✓] TOLD

1312.10.2010 23:54
lissenup2
Inactive

Originally posted by nonoitall:
Originally posted by lissenup2:
What??????????????????????????????????????????????

Did you just get a computer and start using it????????????????

Trojans can come from illicit websites and saving your PW is the DUMBEST F'ING THING ANYONE COULD DO. The laziness of not wanting to type your passwords is about as lazy as not wanting to wash your hands after dropping the kids off at the pool.

Your decision making privileges have been officially revoked.

I'm afraid you miss the point of a password manager. One of their key purposes is to encourage strong, unique passwords, which are impossible to handle without some sort of password manager (or a photographic memory). Firefox's password manager also has an optional master password that encrypts your passwords so they can't be accessed without the master password.

A keylogger can retrieve your password whether you use a password manager or not. (In fact, it's actually more likely to nail you if you don't use a password manager, since you won't be using keystrokes with a password manager.) If you get a trojan, you're basically screwed either way, so don't get one in the first place.
I must say this because I can't believe that this type of hand-holding is still necessary.

A password manager is different from FF "remembering passwords" and I encourage everyone to use a password manager as do I. Password safe is my choice and others use their own.

As for my statement..........it stands........having FF remember your passwords is F'ing GD incomprehensibly stupid and ignorant. Who gives a sh*t about "seeing" them......if your systm gets hacked or compromised then someone needs only log into your banking institution or service acount and voila, they got what they need.

I feel like you and ROMaster didn't pay any attention to the details or what I was saying and frankly, defending the use of "remembering passwords" is a sign of lack of common sense.

1413.10.2010 1:00

Originally posted by lissenup2:
A password manager is different from FF "remembering passwords" and I encourage everyone to use a password manager as do I. Password safe is my choice and others use their own.

As for my statement..........it stands........having FF remember your passwords is F'ing GD incomprehensibly stupid and ignorant. Who gives a sh*t about "seeing" them......if your systm gets hacked or compromised then someone needs only log into your banking institution or service acount and voila, they got what they need.

I feel like you and ROMaster didn't pay any attention to the details or what I was saying and frankly, defending the use of "remembering passwords" is a sign of lack of common sense.

You're not making a whole lot of sense. Firefox's built-in "remember password" functionality is a password manager. You encourage its usage in one sentence and then discourage it in the next.

1513.10.2010 1:40

Quote:
I feel like you and ROMaster didn't pay any attention to the details or what I was saying and frankly, defending the use of "remembering passwords" is a sign of lack of common sense.
Or perhaps the ones without common sense are people who don't take measures to PREVENT their computer's information being compromised in the first place regardless of the manager. Hell I use the password manager myself so I don't have to type it in every bloody time, but I'm secured enough with all my other privacy settings nothing can steal it (at least without me knowing).

Try me, you can't hack me since the all the exploitable (i.e. useless) files were removed in the installation.

1615.10.2010 23:58

We take precautions anyway but we still do All our financial transactions on Puppy Linux now. If they're that desperate to read my eMails and post on forums using my name... pffft.



Its a lot easier being righteous than right.


DSE VZ300-
Zilog Z80 CPU, 32KB RAM (16K+16K cartridge), video processor 6847, 2KB video RAM, 16 colours (text mode), 5.25" FDD

Comments have been disabled for this article.

News archive