Firefox extension used as password stealer?

Published: 2008-12-12
Last Updated: 2008-12-13 00:53:46 UTC
by Johannes Ullrich (Version: 2)
1 comment(s)

Thanks a lot to our reader David who took the time to analyze this in more detail. It appears to be a "harmless" plugin / maybe adware. But no passwords are stolen this time. Thanks!


A reader sent us a suspicious e-mail, which included a link to an .xpi file (a Firefox extension) as attachement. Looks like a very nice find! I am still looking at the extension. Just from a preliminary glanze at it, the extension may try to steal the content of form fields.

The origin appears to be russian. The link went to ht tp : //qs-s.  nm.  ru (again: inserted spaces to protect the innocent)


The e-mail:

We have received mnoey. Here your book. Read and grow rich!
ht tp:// qs-s. nm. ru - We have received money. Here your book. Read adn grow rich!

(and thanks for the person posting the comment below to point out I forgot to break up the second instance of the URL :-) ).

 Still working on exactly figuring out what this does. E.g. if it is just adware or actually steels passwords. May have to wait until I get home and get to run it in the lab.

Johannes B. Ullrich, Ph.D.
SANS Technology Institute


1 comment(s)


:) but you haven't protect the innocent in the next lines ...

Diary Archives