Beware of False Browser Updates

Friday, November 30, 2012 @ 11:11 AM gHale


It is kind of like going back and using an old trick that works: Malware pushers are engaging in the “Your browser is out of date, download the update here” approach to saddling inexperienced users with their malicious wares.

This latest twist starts with malicious ads leading to pages able to detect which browser users use and serve them with a fake notification about them needing to update their browser:

RELATED STORIES
Printers Provide Backdoor
Attack Vector: Privileged Access Points
Malware Uses Social Media
Facebook Adds Layer of Defense

The landing page was initially on securebrowserupdate.com, but is not there anymore.

The page reads: “At securebrowserupdate.com there’s an update for every browser. If the script can’t make up which browser you’re running, Mozilla 5.1, GoogleBot 2.1 or unknown unknown.1 Service Packs are offered for download,” they share.

These served pages have the look and the feel of the legitimate browsers’ sites. French, U.S. and Spanish users are among the most targeted, Trend Micro researchers said.

“Instead of an update, users download a malware detected as JS_DLOADR.AET, capable of changing the downloaded binary to have a different payload,” Trend Micro researchers said.

“The malicious JavaScript, in turn, downloads TROJ_STARTPA.AET and saves it as {Browser Download Path}\install.exe. Based on our initial analysis, the Trojan modifies the user’s Internet Explorer home page to http://{BLOCKED}rtpage.com, a site that may host other malicious files that can further infect a user’s system.”

StopMalwertising detected another JavaScript on the site, which apparently pops up requests and notifications such as:
• Sent to your number sms with a secret code. Enter your confirmation code activation.
• An error occurred while processing the request server.
• Software successfully activated.

Users could be sending a SMS to a premium rate service in order to activate the bogus updates.



Leave a Reply

You must be logged in to post a comment.