Fake Firefox Extension Recruits Users into a Botnet

The following is an excerpt from an article recently published by leading security expert Brian Krebs on his KrebsOnSecurity blog. The article follows an investigation by KrebsOnSecurity and describes how a malicious add-on is trapping Firefox users into joining a botnet utilized to hack web sites:

” An unusual botnet that has ensnared more than 12,500 systems disguises itself as a legitimate add-on for Mozilla Firefox and forces infected PCs to scour Web sites for security vulnerabilities.

The botnet, dubbed “Advanced Power” by its operators, appears to have been quietly working since at least May 2013. It’s not clear yet how the initial infection is being spread, but the malware enslaves PCs in a botnet that conducts SQL injection attacks on virtually any Web sites visited by the victim.

Although this malware does include a component designed to steal passwords and other sensitive information from infected machines, this feature does not appear to have been activated on the infected hosts. Rather, the purpose of this botnet seems to be using the compromised Windows desktops as a distributed scanning platform for finding exploitable Web sites.

On infected systems with Mozilla Firefox installed, the bot code installs a browser plugin called “Microsoft .NET Framework Assistant” (this bogus add-on does not appear to be the same thing as this add-on by the same name). The malicious add-on then tests nearly every page the infected user visits for the presence of several different SQL injection vulnerabilities… “

• You can read Brian’s enlightening article in full here: Botnet Enlists Firefox Users to Hack Web Site