Open Bug 513570 Opened 11 years ago Updated 5 years ago

malware attacks on search - FFsearcher/Nine-Ball , Trend Micro report on TSPY_EBOD.A

Categories

(Firefox :: Security, defect)

3.5 Branch
x86
All
defect
Not set

Tracking

()

People

(Reporter: chofmann, Unassigned)

References

(Blocks 1 open bug, )

Details

(Keywords: user-doc-complete)

reported at
http://news.softpedia.com/news/Click-Fraud-Malware-Hides-as-Firefox-Extension-120430.shtml

support article might be the only defense on this one.  we should check possibility of blocking.

from the article

Dubbed Trojan.PWS.ChromeInject by BitDefender researchers, the malicious extension was being deployed without the users' consent by other malware already present on the infected computers. In comparison, this new Firefox threat, which Trend Micro calls TSPY_EBOD.A, is using social engineering to trick users into installing it.

The extension is being offered on various forums via JavaScript as an Adobe Flash Player update. Once installed, it appears in the Add-ons Management window under the Extensions tab as "Adobe Flash Player 0.2." It is worth noting that the real Flash Player add-on for Firefox is actually a plug-in, which is listed under the Plugins tab as "Shockwave Flash [version number]."

This new piece of malware is actually a click fraud trojan, which injects ads into Google search-result pages. When these ads are clicked, the trojan's authors are receiving a small fee from the advertising network supplying them. Back in July, we reported about a similar trojan, which hijacked queries performed through the default search boxes in Internet Explorer and Firefox and routed them through a custom Google search widget.

Trend Micro analysts note that the rogue extension is also monitoring and intercepting all Google searches performed with Firefox and uploads the captured data to a remote server. This is probably done in order to establish some search trends for the victims and subsequently serve them with ads, which they are more likely to click on.
Keywords: user-doc-needed
ss kev,  any contacts at trend micro that might be able to get us a copy of this?

quick scan of crash data doesn't produce anything that we might be able to use to identify and block.
FFSearcher started doing attacks on search back in July as well when being delivered as part of Nine-Ball

http://news.softpedia.com/news/Nine-Ball-Distributes-Complex-Click-Fraud-Trojan-115677.shtml
more on Nine=Ball here 
http://securitylabs.websense.com/content/Alerts/3421.aspx
http://voices.washingtonpost.com/securityfix/2009/06/ffsearcher_a_stealthy_evolutio.html
Summary: Trend Micro report of TSPY_EBOD.A attacks on search → malware attacks on search - FFsearcher/Nine-Ball , Trend Micro report on TSPY_EBOD.A
Duplicate of this bug: 513739
kurt, thanks for the follow up research.  from that trend micro report it sounds like TSPY_EBOD.A. are js component files used information theft. However, this javascript requires other components in order to run properly.

So we won't be able to block that file directly, but we might be able to block the process that runs or initiates the loading of that JS if we can figure that out.
the guidance given by trend micro is to

 Step 1: Close all opened browser windows
 Step 2: Remove malware files related to JS_EBOD.A  

we could also look at some future enhancement to the blocking system to perform steps to clean off evil js scripts that get dumped on users systems, but that would be beyond the scope of this bug.

until then those two step could go in the support page for this attack.
(In reply to comment #6)
> kurt, thanks for the follow up research.  from that trend micro report it
> sounds like TSPY_EBOD.A. are js component files used information theft.
> However, this javascript requires other components in order to run properly.
> So we won't be able to block that file directly, but we might be able to block
> the process that runs or initiates the loading of that JS if we can figure that
> out.

But blocking the extension itself would keep Firefox from running the code as itsounds like the fake extension runs the code when a search is done (I'm assuming through the search bar).
(In reply to comment #8)
> (In reply to comment #6)
> > kurt, thanks for the follow up research.  from that trend micro report it
> > sounds like TSPY_EBOD.A. are js component files used information theft.
> > However, this javascript requires other components in order to run properly.
> > So we won't be able to block that file directly, but we might be able to block
> > the process that runs or initiates the loading of that JS if we can figure that
> > out.
> But blocking the extension itself would keep Firefox from running the code as
> itsounds like the fake extension runs the code when a search is done (I'm
> assuming through the search bar).

I'm basing this on, "The said add-on injects ads into the user’s Google search results pages. More disturbing, however, is its capability to monitor the user’s browsing activities, particularly his/her Google search queries using the Firefox browser. It then sends the information it gathers to http://{BLOCKED}jupdate.com."
I'm trying to follow up with Jonathan from Trend to get more information. If
the extension guid stays constant it can be blocked, but as soon as we start
that, I'm betting we'll start seeing dynamically generated guids. More to come when I have more info.
(In reply to comment #10)
> I'm trying to follow up with Jonathan from Trend to get more information. If
> the extension guid stays constant it can be blocked

Any update here?
re:user-doc-need
I've made an edit to <https://support.mozilla.com/en-US/kb/*Is+my+Firefox+problem+a+result+of+malware?bl=n>. Just waiting for someone to review it.
It was approved. You should be able to see the changes now.
You need to log in before you can comment on or make changes to this bug.