« Bredolab Trojan Botnet Dismantled | Main | Japanese Earthquake Disaster Scams Exploit at Record Pace »
03/08/2011
Fake Ads Posing as AV Solutions Target Browsers
Co-Editor
Blogger Dan Goodwin at The Register talks about how browser malware is growing.
For a while now, ads that pimp malware disguised as antivirus "fix-it" software have typically been customized to give the appearance of belonging to Microsoft's Internet Explorer and Windows operating systems.
Well...not so anymore.
With the popularity of Google's Chrome, Mozilla's Firefox, and Apple's Safari browsers, these fake antivirus pimps are working harder to target the browser that's actually in use by the victim.
Senior security researcher at Zscaler.com, Julien Sobrier, says it looks like a crafty, targeted, browser-specific malware campaign pushing the fake antivirus software.
Here's what the malware looks like in various web browsers:
Internet Explorer
Internet Explorer users get the typical Windows 7 Security Alert.
Mozilla Firefox
Interestingly, Firefox users will see Firefox elements (which also appear in the source code). Additionally, the security warning normally shown gets spoofed when Firefox detects the user attempting to navigate to a known malicious site.
Google Chrome
Google's Chrome users get a customized popup window -- complete with the Google Chrome logo and an unsuspecting warning. The positive side to this is Chrome identifies the page reporting this falsehood.
If the user clicks "ok", then a Chrome-looking window opens shows a fake scan taking place.
Apple Safari
Finally, Safari also gets spoofed and shows the Safari logo in fake pop-up alerts, but ultimately it looks and feels like IE.
These ads are intended to lead surfers into believing they've been infected and that the system can and will be cleaned by the (fake) antivirus software being offered. Since the popup warnings are tailored to look as though they're being presented by the browsers themselves, there appears to be a higher chance of success for the malware hackers.
Sobrier writes:
I've seen malicious pages tailored in the past, but they were mostly fake Flash updates or fake codec upgrades for Internet Explorer and Firefox.
"I've never seen targeted fake AV pages for so many different browsers.
According to Dan Goodwin, some sites that redirect to this scam are:
- columbi.faircitynews.com
- jmvcorp.com
- www.troop391.org.
If you're successfully redirected, the site tries to upload and run InstallInternetDefender_xxx.exe, where the xxx is a frequently changing number.
At the time of Sobrier's piece, VirusTotal scan claims this malware is only detected by just 9.5 percent of 42 AV programs tested, although that number is sure to increase quickly.
It's clear, fake antivirus scams is getting more sophisticated. The good news is, legitimate Internet security software is evolving, too.
The comments to this entry are closed.
Comments
You can follow this conversation by subscribing to the comment feed for this post.