Firefox Attacks Sharpen Bite

By Matthew Hines  |  Posted 2009-03-30 Print this article Print

Security researchers are highlighting a more powerful breed of attack that is specifically targeting users of the open source Mozilla Firefox web browser.

Long touted for its improved security over rival browsers including Microsoft IE, Firefox has been mined for dozens of vulnerabilities over the last few years, but the application hasn't ever faced the same level of attacks as Explorer.

However, experts are charting the emergence of a new, sophisticated breed of Firefox threat that packs a significantly more potent punch than its predecessors.

Posting to the Webroot Threat Blog, security researcher Andrew Brandt describes several newly discovered pieces of badware in circulation that he cites as "raising the bar" for Firefox attacks.

"In the past few weeks, we've seen malware writers up the ante in their bets against Firefox. Two new spies came across the transom in the past week, and easily managed to load themselves into a freshly installed copy of Firefox 3.0.7. I should note that this isn't due to any problem or negligence on Mozilla's part; once you execute malicious code on your PC, any application is vulnerable. Firefox just happens to be a big target," Brandt notes.

The first piece of malware Brandt points to is a malicious plugin that appears to be a new variant of a known spyware attack, DNSChanger. Framed as a browser hijacking ploy, the installer drops a DLL payload into the Firefox components folder, and then runs in the background from thereon.

The threat, also ID'd as "Firesox" then injects ads or modified results when it detects certain search query strings sent to engines including Google, Yahoo, MSN, Altavista, Teoma, Ask, Pricegrabber, Brandt reports.

"In the past, we saw DNSChanger used to help fraudulent advertising affiliates boost their numbers, and to direct unsuspecting users to rogue antimalware tools by generating bogus results. It remains to be seen whether this new variant will be as prolific as the old version," he writes.

The second attack highlighted in the researcher's blog post is a piece of adware that only installs correctly with Firefox versions 3.x or later. Parceled together with other programs and a too-long-to-read EULA, the threat, dubbed Foxicle, appears after users attempt to opt-out of another adware toolbar, Mirar.

Whether they agree to keep Mirar or end up saddled with Foxicle, users unlucky enough to stumble onto the programs appear destined to stare at some unwanted ads when they're browsing.

In both cases, the attacks represent a new generation of Firefox threats in their ability to cloak themselves from discovery, Brandt contends.

"Neither Firesox, the DNSChanger clone, or Foxicle put an obvious entry in Firefox's plugins dialog that signal their presence. While not widely distributed, I suspect we'll be seeing more of them," he said.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to |

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel