Author: Jay Lyman
Webroot Vice President of Threat Research Richard Stiennon said he expects there will be spyware for Firefox this year, adding that while the browser was designed to be immune from the spyware infecting IE, Firefox will face a new breed of spyware tailored specifically for it.
“Basically, if you use Firefox today, you’re not susceptible to any spyware, other than what you download when you’re on Kazaa,” Stiennon said. “The spyware writers target mostly Explorer users because that’s the most fertile feeding ground for piranha-like (spyware) attacks. They’ll watch as Firefox becomes mainstream, they’ll see opportunity there and start targeting them.”
Spyware action and reaction
Stiennon said while spyware for Explorer has become widespread and relatively easy to create, it will be the more advanced spyware writers who turn their sites on Firefox.
“It’ll be the more sophisticated guys that’ll write Firefox spyware,” he said. “I predict that by the middle of the year, we’ll start to see it.”
Stiennon also said Firefox was created specifically, in part, to avoid the kind of spyware that has riddled Explorer along with worms and adware.
“Firefox was written for the existing world of Internet Explorer exploits, but it has its own vulnerabilities that will be exploited,” he said.
Stiennon said while a computer running Firefox will still not be as good of a machine to infect with spyware and it takes the malicious software some time to have an impact, the Mozilla browser will come under fire as it nears and surpasses 10 percent market share.
Nevertheless, Stiennon also indicated the creators, maintainers, and even users of Firefox will quickly and aggressively step up their anti-spyware efforts along with the increased threat.
“The people who use Firefox — their reaction to any spyware-type attacks will be pretty vehement,” he said. “There’ll be fast reaction from both Firefox developers and users.”
Not so fast for Firefox
Despite Stiennon’s prediction, other experts are not convinced that spyware will besiege Firefox as soon as this year. Computer Associates Director of Malicious Content Research Roger Thompson said although spyware for Firefox this year is possible, it is unlikely.
“It’s possible,” Thompson wrote in an email to NewsForge. “While user numbers would need to be pretty big to present a more attractive target than something known to be on about every desktop by default, I don’t believe the botherds (a bot gives the botherd complete control over a “zombied” machine) are actually
doing their own research. They are merely following the security lists closely, and quickly implementing those exploits, and vulnerability researchers probably do subject Firefox to scrutiny, and probably do find things, so it is possible.
“But unlikely,” Thompson continued. “The preponderance of Internet Explorer users is simply too good a target. And in any case, it’s just not necessary and only a small percentage of spyware plants via an exploit — most relies on social engineering to ‘talk’ people into installing it, or by allying itself with some ‘desirable’ service or product, such as the various P2P networkers.”
Thompson, however, said some typical spyware vectors may be open for Firefox, too. To infect and run on machines, for example, much of today’s spyware either talks directly via port 80, or inserts itself as a Layered Service Provider (LSP), “which will nail Firefox too,” Thompson said.
The expert also said with increased spyware competition, which he is seeing already, anything is possible. Thompson said while Firefox and other “non-IE” browsers avoid exploits, ActiveX control issues and browser helper object (BHO) issues, the alternatives are not necessarily immune to keyloggers, LSP injectors, remote administration tools, and adware that is “invited in.”
In terms of the Firefox spyware tipping point, Thompson said he believed 10 percent market share might be too low, but again emphasized that increased spyware competition will put other browsers to the spyware test.
Working on it now
For his part, Stu Sjouwerman — founder and COO of Counterspy maker Sunbelt Software — agreed that Firefox spyware is likely in 2005.
“I’m pretty sure you can expect one or two Firefox (spyware) exploits before the end of the year,” Sjouwerman said. “The more popular a platform gets, the more likely it is to come under attack. Firefox — which I use myself — I don’t think is going to be immune from that. If you go wide like this, you have to expect that your product will be exposed to a trial by fire.”
Sjouwerman reported that his company’s research on Firefox revealed some Explorer-like situations that may draw spyware.
“We looked into it and found that the security of Firefox had similar openings or vectors where spyware can be utilized to exploit or bypass protection,” he said.
Adding that the spyware exploits would have to be changed to target Firefox, Sjouwerman said once the alternative browser has around 15 percent of the browser market, it will be “commercially interesting” for spyware creators to target. In response to spyware for Firefox, Sjouwerman said developers and other backers of the alternative browser will fix the holes that allow it. Third-party companies, such as Sunbelt, will also provide protection against spyware for Firefox, he added. There is not yet a Firefox version of Sunbelt’s CounterSpy anti-spyware, but it is coming, the company has said.
Sjouwerman indicated spyware writers are likely already playing with other, non-IE browsers and the first spyware for Firefox — the most likely browser to “break through” with significant market share — is probably coming soon.
“I wouldn’t be surprised if a couple of Russian spyware writers were turning Firefox inside out,” he said. “In the next couple of months, we’ll see the first exploits.”