Fake Firefox Extension Recruits Users into a Botnet


Botnet_WideThe following is an excerpt from an article recently published by leading security expert Brian Krebs on his KrebsOnSecurity blog. The article follows an investigation by KrebsOnSecurity and describes how a malicious add-on is trapping Firefox users into joining a botnet utilized to hack web sites:

” An unusual botnet that has ensnared more than 12,500 systems disguises itself as a legitimate add-on for Mozilla Firefox and forces infected PCs to scour Web sites for security vulnerabilities.

The botnet, dubbed “Advanced Power” by its operators, appears to have been quietly working since at least May 2013. It’s not clear yet how the initial infection is being spread, but the malware enslaves PCs in a botnet that conducts SQL injection attacks on virtually any Web sites visited by the victim.

Although this malware does include a component designed to steal passwords and other sensitive information from infected machines, this feature does not appear to have been activated on the infected hosts. Rather, the purpose of this botnet seems to be using the compromised Windows desktops as a distributed scanning platform for finding exploitable Web sites.

sql-addonOn infected systems with Mozilla Firefox installed, the bot code installs a browser plugin called “Microsoft .NET Framework Assistant” (this bogus add-on does not appear to be the same thing as this add-on by the same name). The malicious add-on then tests nearly every page the infected user visits for the presence of several different SQL injection vulnerabilities… “

 

Posted in:
About the Author

Brian Krebs

Brian became a world renowned security researcher while working for The Washington Post from 1995 to 2009 as the author of The Security Fix column. Since leaving The Washington Post in 2009 Brian has continued his research at Krebs on Security where he continues to investigate cyber criminal gangs, skimmers, software exploits, and the dark underbelly of the web .

There is one comment

Comments are closed.