Monday, March 14, 2005

Firefox not Spyware free!

We all know about those ActiveX installers that attempt to install all manner of nasties when using Internet Explorer, but now it seems the producers of all that malware are now turning on other browsers. This time they are using a Java installer to push all kind of of unwanted malware onto your PC. Christopher Boyd at Vitalsecurity.org tested out this latest bit of malware after hearing a rumour about a Firefox adware bundle on a forum. The malware installer in question is capable of working against a number of web browsers with native Java Runtine Environment support. This allows the installer to attack most browsers including Firefox, Mozilla, Netscape, Avant and in some cases Opera. In this instance this little bit of malware goes and installs a whole bunch of Internet Explorer specific nasties, including DyFuCA, Internet Optimiser, ISTsvc, Kapabout, sais (180 Solutions), SideFind and Avenue Media. Now this presents an interesting twist, because in Boyd’s tests his Internet Explorer was locked down, and he’d visited the site the installer was executed from he was not affected by the installer. However once the installer was allowed to run it went ahead and trashed his Internet Explorer setup, thus ensuring that next time the machine reboots all that nasty malware is executed and will continue to hijack the PC.
Now we should just say first, in the defence of all the browsers that Boyd tested, there was user intervention required to install this crap, it all popped up a ‘Do you want to allow this to run’ dialog and in this test (we stress this was a test) Boyd clicked on the ‘yes’ button. In normal circumstances no sane user should press ‘yes’, they should click ‘NO’, just to repeat that CLICK NO, never never click ‘yes’...