Howdy,

Apparently BitDefender stumbled upon a Firefox-only banking malware. It installs itself as a Firefox plugin (= it installs a native binary) and as a javascript file in the Chrome folder (= it modifies the source code of Firefox):

• %ProgramFiles%\Mozilla Firefox\plugins\npbasic.dll
• %ProgramFiles%\Mozilla Firefox\chrome\chrome\content\browser.js

If anyone has a sample, I’d like to have a look at it. It’s not technically a Firefox extension, but its payload could also be delivered as an extension (with no native code at all). If anybody wonders why there is not more Firefox crapware, there are two reasons for it:

• the browser market is still dominated by IE
• malware authors have not realised how easy it was to write malware for Firefox

Links:

• Malicious Firefox Extensions on this blog
• ‘Greasemonkey’ Malware Targets Firefox on Slashdot
• Firefox users targeted by rare piece of malware on Infoworld
• Trojan.PWS.ChromeInject.B on BitDefender