I recently came across yet another malware page posing as an Ebay login page. The page informs the user with big scary language that a "required update" is needed to view the page, then proceeds to inform the user in large friendly letters "Do this to install the required update" through the use of a Flash applet. The "required update" is actually a key logger that hides in the background and watches where you surf and what you type.
I've seen this type of foolishness before, but this one was different. Take a peek at these screen shots of the page in question as viewed in IE and Firefox. Normally, malware pages of this nature will try to install an ActiveX control (as seen in the IE screenshot) or will automatically start the download of a Windows executable. However under Firefox, this page wanted to install an Extension. Extensions are essentially addons for Mozilla products like Firefox, Thunderbird, and others.
Extensions are distributed in an ".XPI" file package. XPI files are basically PKZIP files with a specific directory hierarchy. By default, Firefox will only allow the official Extension download sites to install XPI files. However, by following the friendly instructions on the malware page, it takes as little as 3 clicks to allow the malware site to invoke the XPInstall window. XPInstall is the confirmation dialog box that opens when you go to install an Extension. XPInstall actually does a decent job of ensuring the user doesn't mindlessly click "Install" with a 5 second delay and will not allow the Install button to be clicked if the XPInstall window is not in focus. It can also inform the user of the given name of the Extension and if the XPI is signed with a certificate or not. This is a screenshot of the XPInstall dialog window:
Lets dig a little bit deeper. Where does XPInstall get the name of the extension? From the parameters passed to the "TriggerInstall.install" built-in browser function as specified from the malware page. TriggerInstall is a class of functions that enable everyday web pages to query, upgrade, and install Mozilla Extensions. Without diving too deeply into the nitty gritty of TriggerInstall, the install function takes two arguments, first being an array and second being the function to call after the install has completed. The array passed in contains the given name of the Extension and the URL at which the browser can download the XPI package, at minimal. Since the malware page can control what name that XPInstall displays for the package, it could be used against the user to give a false sense of security that the Extension is "safe to install".
Unfortunately, no one ever signs their XPI packages. This is saddening, as it is now the norm in the eyes of the user to see that the package is "unsigned" in big red letters. So that doesn't help anyone's security posture one bit.
You might be thinking, "All extensions ever installed appear in the 'Installed Extensions' window. I can just go back and uninstall the malware, right?" The answer is no. Extensions are not required to appear in the Extensions list. Some perfectly legitimate extensions that I have installed have virtually disappeared, leaving little evidence that it is still installed. Normally, extensions run under the Firefox process, so detection of what Extensions are actually running can be a chore for non-techies. If I were writing a malware XPI package, I would definitely take advantage of this fact.
With the explosion of popularity in Firefox, will Extensions become the next ActiveX of malware drive-bys? Maybe, but probably not. While the idea of having a single package to infect multiple operating systems is very appealing to malware distributors, most will stick to Windows systems as the primary targets because of the large share of the desktop market. TriggerInstall isn't new and has actually been around for quite a while but hasn't become a popular method used by web sites. I think most malware distributors will stick to an "ActiveX or Executable" delivery method for a little while longer.