Last Updated: 2008-12-13 00:53:46 UTC
by Johannes Ullrich (Version: 2)
Thanks a lot to our reader David who took the time to analyze this in more detail. It appears to be a "harmless" plugin / maybe adware. But no passwords are stolen this time. Thanks!
A reader sent us a suspicious e-mail, which included a link to an .xpi file (a Firefox extension) as attachement. Looks like a very nice find! I am still looking at the extension. Just from a preliminary glanze at it, the extension may try to steal the content of form fields.
The origin appears to be russian. The link went to ht tp : //qs-s. nm. ru (again: inserted spaces to protect the innocent)
We have received mnoey. Here your book. Read and grow rich!
ht tp:// qs-s. nm. ru - We have received money. Here your book. Read adn grow rich!
(and thanks for the person posting the comment below to point out I forgot to break up the second instance of the URL :-) ).
Still working on exactly figuring out what this does. E.g. if it is just adware or actually steels passwords. May have to wait until I get home and get to run it in the lab.
Johannes B. Ullrich, Ph.D.
SANS Technology Institute