Symantec Security Response Weblog: BHO and XPCOM: Extensions Gone Wild
Mozilla’s Firefox browser is quite popular and it is often recommended when it comes to the question: What is a safe browser alternative? Unfortunately, this does not necessarily mean that you are not susceptible to browser attacks.
Microsoft Internet Explorer is often hijacked by malware that drops browser helper objects (BHO), which will then be loaded every time the user starts Microsoft Internet Explorer. The BHOs can then manipulate data that is sent to the Internet and (for example) steal passwords or monitor user habits. With the Cross Platform Component Object Model (XPCOM), something similar to a BHO exists on the Mozilla side. It is a framework for developers to create modules that access features of the Gecko engine. For example, Firefox extensions are written with XPCOM and can therefore integrate seamlessly into Firefox.
Of course, it shouldn’t be a big surprise that this technique can also be used with malicious intent. Unwanted extensions that we already have seen implemented as BHOs are also possible as extensions for Firefox. In March 2006 we found the first in-the-wild case with JS.Ffsniff, which is a JavaScript that uses XPConnect. XPConnect is an interface for JavaScript that allows transparent access to XPCOM objects. The threat is part of a browser extension; once installed, it will add itself as an event listener for all “form submit” events. When an infected user submits a Web form on a Web site, the threat will parse the site and steal all information that is submitted by the Web form, including passwords. The JS.Ffsniff script then sends this information to a predefined email address using XPCOM objects. [More]