Most researchers recommend that users tell Firefox not to remember their passwords, since saved ones are so easily extracted by malware.

The Trojan-PWS-Nslog malware discovered by , however, gets around user preferences altogether by actually deactivating the Firefox code that asks if it should save those passwords when the user logs into a secure site.

"Before the infection, a default installation of Firefox 3.6.10 would prompt the user after the user clicks the Log In button on a Web page, asking whether he or she wants to save the password," Webroot researcher Andrew Brandt explained in a on Wednesday. "After the infection, the browser simply saves all login credentials locally, and doesn't prompt the user."

Specifically, the Trojan adds a few lines of code and "comments out" other portions of code from the Firefox file called nsLoginManagerPrompter.js, with the result that all passwords get saved locally without any input from the user.

Clues Left Behind