A Firefox add-on has turned 12,500 users of the browser into a botnet which scours every page visited by infected users for vulnerabilities. The ‘Advanced Power’ add-on ensnared 12,500 PCs - and found 1,800 vulnerable websites for its unknown creators, according to security expert Brian Krebs.
SC Magazine says that the add-on also has other capabilities, including password hijacking, but these have not been used.
Based on Google Translate language recognition, Krebs initially reported that text strings in the malware suggested it might be Czech in origin. Human inspection by a native Czech speaker in ESET's labs revealed that technology was not perfect in this case – and the texts look more like some dialect of Russian.
“The malicious add-on then tests nearly every page the infected user visits for the presence of several different SQL injection vulnerabilities,” according to Krebs.
SQL injection attacks are one of the most common methods used to attack websites, but attackers require vulnerabilities to use them.
“Attackers can use this access to booby-trap sites with drive-by malware attacks, or force sites to cough up information stored in their databases," Krebs said.
Information Week reports that the malware has been in circulation since May 31 this year at least, and quotes “Kafeine" at the Malware Don't Need Coffee blog, who said that the malware was distributed at least in part by the Blackhole exploit kit.
Krebs' report notes that the attack represents a way for hackers to ‘test’ a much larger sample of websites for vulnerabilities rather than simply targeting sites at random - by piggybacking on legitimate site visits, it removes the “blind guesswork” hackers often have to perform to find vulnerable sites.
Mozilla has now blocked the add-on, saying, “It is a malicious extension that is distributed under the same name to trick users into installing it, and turns users into a botnet that conducts SQL injection attacks on visited websites.”
Browser add-ons and plugins have been used in several malware campaigns this year, as reported by We Live Security here and here.