A Firefox Trojan has been found to force the Internet browser to save user passwords and then use those passwords to create a new user account on the infected computer.
Most security researchers recommend that users tell Firefox not to remember their passwords, since saved ones are so easily extracted by malware.
The Trojan-PWS-Nslog malware discovered by security company Webroot, however, gets around user preferences altogether by actually deactivating the Firefox code that asks if it should save those passwords when the user logs into a secure site.
“Before the infection, a default installation of Firefox 3.6.10 would prompt the user after the user clicks the Log In button on a Web page, asking whether he or she wants to save the password,” Webroot researcher Andrew Brandt explained in a blog post on Wednesday. “After the infection, the browser simply saves all login credentials locally, and doesn’t prompt the user.”
Specifically, the Trojan adds a few lines of code and “comments out” other portions of code from the Firefox file called nsLoginManagerPrompter.js, with the result that all passwords get saved locally without any input from the user.
Clues Left Behind
With that information, the Trojan creates a new account under the name “Maestro” on the infected computer. It then “scrapes information from the registry, from the so-called Protected Storage area used by IE to store passwords, and from Firefox’s own password storage, and tries to pass the stolen information onward, once per minute,” Brandt added.
The Web domain intended to receive the stolen data has already been shut down, but code inside the malware revealed the author’s name and email address, which led Webroot to a Facebook page for a hacker based in Iran who provides a free keylogger creator tool targeting users of Microsoft Windows.
Webroot can easily identify and remove the Trojan from infected machines, it says. To fix the modified Firefox file, users should download the latest Firefox installer and install it over the existing installation. No bookmarks or add-ons will be lost in the process, Brandt said.
How to Make Firefox Forget
Mozilla’s Firefox ranks second in global browser market share, according to Net Applications, with 23 percent of the browser market in September. The first beta release of Firefox 4 for Android phones just debuted this week.
By default, Firefox does remember passwords. To tell it not to, go to the Tools menu and select Options. From there, open the Security tab and uncheck the appropriate box, Webroot advises.
Follow Katherine Noyes on Twitter: @Noyesk.