 |  |  |  |  |  |  |  |
New CWS trojan - GoogleSpawner - uses Firefox extension to hijack Firefox
 |
Several of my clients report this trojan since Jan. 14th. Seems to be a varient of the Cool Web Search trojan, adapted for Firefox. Has anyone encountered this and have advice for removal?
Point of entry: User receives an email with a "Reply-to" field entry of a known acquaintance, recommending a Firefox extension. User adds the extension to Firefox, usually some kind of search bar or weather service.
Behavior: Extension works, but one to several minutes after opening, three separate firefox windows open and then each begins to spawn tabs. Several of the tabs contain what appears to be google search results for various porn sites with addresses URL encoded, others contain seriers of links to porn and off shore gambling sites. Subsequent tabs appear to be the pages linked to by the first tabes. When user closes tabs, new ones are spawned making closure extremely difficult. Many tabs contained direct links to media such as WMVs and pictures.
The extension also appares to monitor whether the user visits common mail servers like yahoo and gmail, and attempts to load email address out of the pages viewed. Does not appear to have a key listener component or a local directory search.
Likely intent: We guess that it is attempting simulate clickthrus from different users, to augment google search placement and to generate revenue directly from sites paying per click for advertising
Countermeasures: Removed Firefox completely from system using Erase Beyond Recovery mode, and all temporary file areas. Note - did not appear in HiJack this.
Point of entry: User receives an email with a "Reply-to" field entry of a known acquaintance, recommending a Firefox extension. User adds the extension to Firefox, usually some kind of search bar or weather service.
Behavior: Extension works, but one to several minutes after opening, three separate firefox windows open and then each begins to spawn tabs. Several of the tabs contain what appears to be google search results for various porn sites with addresses URL encoded, others contain seriers of links to porn and off shore gambling sites. Subsequent tabs appear to be the pages linked to by the first tabes. When user closes tabs, new ones are spawned making closure extremely difficult. Many tabs contained direct links to media such as WMVs and pictures.
The extension also appares to monitor whether the user visits common mail servers like yahoo and gmail, and attempts to load email address out of the pages viewed. Does not appear to have a key listener component or a local directory search.
Likely intent: We guess that it is attempting simulate clickthrus from different users, to augment google search placement and to generate revenue directly from sites paying per click for advertising
Countermeasures: Removed Firefox completely from system using Erase Beyond Recovery mode, and all temporary file areas. Note - did not appear in HiJack this.
This has been circulating around the web pretty quickly the last few weeks. It seems it is a straight-up extension, which takes over Firefox without any virus or worm coding or DLLs like Cool Web Search. Thus, while it simulates CWS in behavior, it does not in coding.
Simply deleting the extension and reinstalling Firefox appears to work. The extension may have connected back to the spawning server to communicate email addresses of trusted acquaintances, but no residual server code has been found.
As part of Firefox, it would not show up in HiJack this or CWS Shredder
Simply deleting the extension and reinstalling Firefox appears to work. The extension may have connected back to the spawning server to communicate email addresses of trusted acquaintances, but no residual server code has been found.
As part of Firefox, it would not show up in HiJack this or CWS Shredder
Thank you so much for posting this. I was going bezerk. We didn't get it from the email though, we downloaded an extension (can't remember the site, sorry, but it was obviously not the official mozillla.org on -- I know,"stupid").
I removed firefox and all the directories associated with it, upon reinstall, it seems back to normal.
The "close other tabs" works to close all but one and doesn't spawn children. But the best thing would be not to download extensions from untrustworthy sites
I removed firefox and all the directories associated with it, upon reinstall, it seems back to normal.
The "close other tabs" works to close all but one and doesn't spawn children. But the best thing would be not to download extensions from untrustworthy sites
Last edited by artis_newbie; Jan 29th, 2008 at 9:09 am.
|
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: Can't access history in IE....Hijackthis log enclosed
- Next Thread: Free Spyware Removal Software List
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest Viruses, Spyware and other Nasties Posts
adware anti-malware anti-virussitesaccessissue antivirus apple audio avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial commercials conficker connect control crosssitescripting cyber cybercrime cyberwarfare domains e-mafia education email europe exam facebook fake fancheckvirus gaming gtaiv halloween hijack hosting internet iphone kaspersky legal logfiles mail malware mcafee messagelabs microsoft mobile msn nazi news obama onlinethreats paedophile panel parents patch phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem reliability report research risk rogueantivirus samhain sans scareware school search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses war warning windows worm yahoo zeroday