Firefox Vuln and DNS Changers

A newer spyware program targets only Firefox users, according to these articles. http://blog.trendmicro.com/cyber-crimainals-target-firefox-users/ (which includes links to technical information). Of course, one has to allow the initial infection to install.

It’s not clear how the initial infection gets to your computer. But once there, it puts hooks into Firefox to allow the spyware to watch and report on access to banking-type web sites. When such a site is accessed, the spyware grabs your login credentials and sends them off to the evil hacker. And that can’t be good.

Another evil is the DNS changer software that could live on the laptop next to you at the local coffee shop. When you connect to the coffee shop’s network, the evil laptop will intercept and change your DNS settings. That will allow the evil DNS server to intercept and redirect your access to a web site. Also not good.

Brian Krebs (Washington Post) has a write-up of it here http://voices.washingtonpost.com/securityfix/2008/12/a_scary_twist_in_malware_evil-.html . The trojan works by changing a registry value that changes the DNS server your browser accesses.

The trojan is another one that you have to decide to install, and is often disguised as a video ‘codec’ (add-on) that an evil site (often an ‘adult’ site) wants to install so you can view the videos. Could even be a site like www(dot)yuotube(dot)com (and no, that is not a typo).

A quick way to check if you have a DNSChanger problem is to try to browse to a known non-existant web site. Like www.this-is-not-really-a-good-domain-name.com . You should get a “Navigation cancelled” page. If you get anything else, then it’s time to start the cleanup process on your computer (and perhaps your router, since there are some DNSChanger attacks that try to hack into your router using known passwords).

Note that some ISPs redirect you to their search page if you type in a non-existent web site name, so this may not work for everyone.

Be careful out there!

Leave a Reply

Name and email are required. Your email address will not be published.