Browser Update Really a Worm

Tuesday, September 27, 2011 @ 03:09 PM gHale


A worm can now take over the DHCP and DNS servers, sending requests back to add in more malware containing locations.

Identified as Worm.Ropian.E, it immediately seizes the DNS and DHCP servers. Because these are some of the most important services that control Internet connections, the virus can make sure it redirects to a single place, no matter what URL is in the address bar.

RELATED STORIES
Malware Hits IE, then Attacks Firefox
Forensics for Stuxnet
New APT Attacks Hit Russia
Iran Creating Counter to Stuxnet

The malicious destination looks like an error page that alerts “Your browser is no longer supported. Please upgrade to a modern software,” according to a Malware City blog post.

It would be easy to believe this message and click on the “Browser update” button at the bottom of the screen because every single request takes you to the same site.

If the user clicks the update button, the device will infect the system even further, acting as a DHCP server for the entire network of computers. To make everything more credible, the worm downloads a file called upbrowsers[date].exe, where the date is a variable that always matches the current date.

Once executed, the infection spreads even further, installing a TDSS rootkit that does even more damage to your device and your network.

Worm.Rorpian.E utilizes makes good use of some critical vulnerabilities and shared elements to expand the virus.



Leave a Reply

You must be logged in to post a comment.