Malicious browser extensions have been a big issue in the past couple of years. One should not confuse outright malicious extensions with adware or toolbars even though they are related to some extend.
The core difference between those groups of extensions is that malicious extensions go beyond displaying ads, leaking information about a user's browsing behavior or being plain annoying.
Browser makers such as Google or Mozilla have invested time and money in methods to protect users from potentially unwanted extensions.
Google for instance created a new policy for Chrome recently that prevents the installation of extensions in the browser if those extensions are not listed in the Chrome Web Store.
While only valid for Chrome Stable and Beta versions on Windows, it supposedly protects users running those versions of the browser from falling prey to malware attacks.
There are manual ways around this protection so that Stable and Beta users can install extensions not available on the official Chrome Web Store.
The real problem is however that malware attacks can still attack the Chrome browser and add extensions to the browser even though that should not be possible anymore due to the protection feature.
Trend Micro discovered a new malware attack recently that targeted Chrome users. The attack started on Twitter were a user tweeted "Download this Video. Facebook Secrets . Link".
The link led to a specifically prepared page that downloaded an exe file to the user's computer automatically. When executed, it started to download additional files to the system and among the things it downloaded was a browser extension for Chrome.
The malware creates a new folder in Chrome's directory on the system and places browser components inside of it. Chrome parses the information automatically and adds it to the browser.
The interesting aspect here is that the extension gets added automatically to Chrome. There does not seem to be a prompt to inform the user about the new extension and it is not blocked automatically by the browser as well.
The attack has been designed to work on Windows machines only but the extension installation itself could work on non-Windows systems as well.
The only protection against this type of attack is to avoid the urge to click on links from unknown sources that promise something (interesting).
The click on the link is not the only step required in the attack though as the exe file itself won't do anything on its own. It is still necessary for the user to click on it and that antivirus solutions that run on the system don't block it from executing.