There had been several instances of the FormSpy trojan being discovered in the wild today. Its installer was heuristically detected as New Malware.ag (now Downloader-AXM).

Upon successful execution, FormSpy hooks mouse and keyboard events in the Mozilla Firefox web browser. It can then forwards information such as credit card numbers, passwords and URLs typed in the browser to a malicious website hosted at IP address 81.95.xx.xx.

Typically, Mozilla Firefox components are installed via .xpi files where users are prompted to confirm the installation. FormSpy writes and modifies Mozilla configuration files directly which bypasses this confirmation process.

When Mozilla Firefox became a popular alternative to Internet Explorer, it was only a matter of time that spyware and trojan authors start writing malicious code in the form of Mozilla Firefox components. Mozilla Firefox users should exercise caution in downloading and installing unsigned extension components from unreliable sources.