03/08/2011

Fake Ads Posing as AV Solutions Target Browsers

Blogger Dan Goodwin at The Register talks about how browser malware is growing.

For a while now, ads that pimp malware disguised as antivirus "fix-it" software have typically been customized to give the appearance of belonging to Microsoft's Internet Explorer and Windows operating systems.

Well...not so anymore.

With the popularity of Google's Chrome, Mozilla's Firefox, and Apple's Safari browsers, these fake antivirus pimps are working harder to target the browser that's actually in use by the victim.

Senior security researcher at Zscaler.com, Julien Sobrier, says it looks like a crafty, targeted, browser-specific malware campaign pushing the fake antivirus software.

Here's what the malware looks like in various web browsers:

Internet Explorer

Internet Explorer users get the typical Windows 7 Security Alert.

Fake-av-ie-2

Mozilla Firefox

Interestingly, Firefox users will see Firefox elements (which also appear in the source code). Additionally, the security warning normally shown gets spoofed when Firefox detects the user attempting to navigate to a known malicious site.

Fake-av-firefox

Google Chrome

Google's Chrome users get a customized popup window -- complete with the Google Chrome logo and an unsuspecting warning. The positive side to this is Chrome identifies the page reporting this falsehood.

Fake-av-chrome

If the user clicks "ok", then a Chrome-looking window opens shows a fake scan taking place.

Apple Safari

Finally, Safari also gets spoofed and shows the Safari logo in fake pop-up alerts, but ultimately it looks and feels like IE.

Fake-av-dafari

These ads are intended to lead surfers into believing they've been infected and that the system can and will be cleaned by the (fake) antivirus software being offered. Since the popup warnings are tailored to look as though they're being presented by the browsers themselves, there appears to be a higher chance of success for the malware hackers.

Sobrier writes:

I've seen malicious pages tailored in the past, but they were mostly fake Flash updates or fake codec upgrades for Internet Explorer and Firefox.

"I've never seen targeted fake AV pages for so many different browsers.

According to Dan Goodwin, some sites that redirect to this scam are:

  • columbi.faircitynews.com
  • jmvcorp.com
  • www.troop391.org.

If you're successfully redirected, the site tries to upload and run InstallInternetDefender_xxx.exe, where the xxx is a frequently changing number.

At the time of Sobrier's piece, VirusTotal scan claims this malware is only detected by just 9.5 percent of 42 AV programs tested, although that number is sure to increase quickly.

It's clear, fake antivirus scams is getting more sophisticated. The good news is, legitimate Internet security software is evolving, too.