James Delahunty
9 Oct 2010 22:37
Webroot is warning about a change that a Trojan makes to Firefox files that change the way the browser handles password information entered in forms on websites. Trojan-PWS-Nslog is found to modify a file used by Firefox (nsLoginManagerPrompter.js) in such a way that the browser simply saves all entered passwords and does not prompt a user anymore on whether or not it should.
Computer security firms generally advise against saving passwords in a web browser because they can so easily be retrieved either by a person physically using the browser or by malware installed on the computer. The keylogging Trojan, which copies itself as Kernel.exe to the system32 directory, creates a new user account on the machine in the background (Maestro).
It then retrieves information from the registry and saved passwords from Internet Explorer and Firefox. It attempts to send the stolen information to a server once per minute. The server is now actually offline, but the changes the malware makes to the Firefox browser file are not fixed by removal tools. Instead a user will have to re-install the Firefox browser to write a new copy of the file.
That's not the only interesting thing found with this trojan however. Embedded inside is an interesting string of text you wouldn't expect to see included with malware: "SaLiLoG keylogger server made by Salar Zeynali - Salixem@Gmail.com."
Webroot tracked down Zeynali's Facebook profile, where it says he is from Karaj, Iran. He writes crimeware just for fun. The "crimeware" is a keylogger creation tool he offers as a free download on a message forum he hangs out on. He also likes heavy metal music and sports a emo haircut by the way.