- SandBox Information Center
- Malware Analysis Search
- Articoli sulla sicurezza
- Blog sulla sicurezza [EN]
- Livello di pericolosità [EN]
- Minacce attuali di virus
- Tipi di malware [EN]
- Descrizione dei virus [EN]
- Statistiche sulla posta elettronica [EN]
- Testi, white paper generici ed altro
- La tecnologia Norman
Old dogs learn new tricks
Introduction
Fake antimalware software has become an increasing problem for end users and corporations. The creators of these rogue applications are able to earn easy money and are constantly searching for new ways to exploit their victims.
A new technique has recently been seen. We shall look at this in more detail in this security article, and attempt to point to some general considerations regarding this type of software and malware in general.
Case study
One of the newer attempts to trick users into installing rogue antimalware software is to use the web browser as the trigger.
When a user visits a web page that is infected (usually without the web owner's knowledge), a warning page appears. This warning is made to look similar to the general warning page the browser will show whenever it encounters a web site/page that is "flagged" as malicious.
The warnings look like this for the two most popular web browsers:
Firefox
Internet explorer
The main difference from the browsers' normal warning pages is the option to "upgrade" to a reliable solution for malware scanning.
This, however turns out to download one of the usual fake antimalware scanners, which family should be familiar. In this particular case, Win7 AV is the culprit. As usual the fake antimalware product "finds" that the computer is infected (which may have nothing to do with reality), and encourages purchase of the complete product.
Interestingly, the fake antimalware's product page closely resembles Microsoft's page for the security software Microsoft Security Essentials, another trick on the author's side to make the scam easier to buy into.
Generalization
Of course it has value in itself to be aware of this particular piece of malware and its spreading mechanism. Incidentally Norman's security software detects this as W32/MSIL/Zeven.A.
It would however, be even more useful is if we are able to learn something which can be used in a more general manner.
There are some characteristics of this particular scheme that are of a general character and therefore worth focusing upon:
- The initial bait uses a perversion of a security mechanism in the browsers - a trusted security instrument for most users.
- The next step in the scheme uses a standard trick: Implying that there is a security issue on your computer (when there is none).
- Step three uses a web page that is made to look like a quite well-known security page (from Microsoft).
Whenever one encounters an issue like this, it is wise to stop, think, and, if relevant, proceed with caution.
Ask yourself some control questions:
- Is this the way the vendors of web browsers inform their users that security updates are available?
Generalization: Beware of unusual behavior!
- Would big software vendors (in this case Microsoft, Mozilla, Google) link to a third-party web site for product downloads/purchases?
Generalization: Check the URL in your browser! Does it comply with the web site the link suggested?
- Does anything seems strange? (Are there spelling mistakes or strange wordings, which may imply that professional software vendors are not involved.)
Generalization: Watch out for unprofessionalism!
