Comment on Citadel’s Man-in-the-Firefox: An Implementation Walk-Through by Dennis Schwarz

September 17, 2013 Dennis Schwarz

Update:

In Firefox 23 (released Aug 6, 2013), the PR_* functions from nspr4.dll have moved into nss3.dll. This effectively mitigates the Firefox MITB implementation for the Citadel malware, but the generic MITB implementation idea lives on.

Initial heads up: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=1465&start=60#p20447

Verified via lack of nspr4.dll and nss3.dll’s exported functions.

Read more...

Previous Article
Comment on Pretending to be a Zeus Gameover Bot by Christian Rossow

Hi Dennis, Arbor, In our research we have shown that crawling severely...

Next Article
Comment on DirtJumper Drive Shifts into a New Gear by Maxim Zimovets

Hello, Jason! Thank You for your deep analysis of DirtJumper's new...