New Malware Imitates Browser Warning Pages

← Back to Stories (view on slashdot.org)

New Malware Imitates Browser Warning Pages

Posted by Soulskill on Friday September 3, 2010 @04:53AM from the good-thing-nobody-ever-mindlessly-clicks-through-those dept.

Jake writes with this excerpt from Ars: "Microsoft is warning about a new piece of malware, Rogue:MSIL/Zeven, that auto-detects a user's browser and then imitates the relevant malware warning pages from Internet Explorer, Firefox, or Chrome. The fake warning pages are very similar to the real thing; you have to look closely to realize they aren't the real thing. The ploy is a basic social engineering scheme, but in this case the malware authors are relying on the user's trust in their browser, a tactic that hasn't been seen before. Beyond the warning pages, the actual malware looks like the real deal: it allows you to scan files, tells you when you're behind on your updates, and enables you to change your security and privacy settings. Performing a scan results in the product finding malicious files, but of course it cannot delete them unless you update, which requires paying for the full version. Attempting to buy the product will open an HTML window that provides a useless 'Safe Browsing Mode' with high-strength encryption. To top it all off, the rogue antivirus webpage looks awfully similar to the Microsoft Security Essentials webpage; even the awards received by MSE and a link to the Microsoft Malware Protection Center have been copied."

110 of 143 comments (clear)

Min score:

Reason:

Sort:

Not new... by Darkness404 · 2010-09-03 04:55 · Score: 2, Informative

Imitating warning pages or other elements of the UI is not a new tactic. Back in the 90s and 2000s there were lots of "You are the 223423424th person to view this page" banners that were deliberately trying to imitate Windows 9X or XP.

--
Taxation is legalized theft, no more, no less.
1. Re:Not new... by jornak · 2010-09-03 05:01 · Score: 1
  
  This is also old news in regards to the actual topic. Malware has been imitating error pages and injecting code into pages (like "Google detects you're infected, use software to fix!" on Google") for the longest time..
2. Re:Not new... by _133MHz · 2010-09-03 05:54 · Score: 2, Interesting
  
  Another way to make these really obvious is to use your operating system with any language other than English. Malware writers don't bother with localization, so their fake error messages always display in English regardless of your actual OS language. Even the USB autorun viruses are dead easy to spot, you know something's fishy when there's a lonely English menu option in the Autorun dialog, usually "Open folder to view files" while the rest aren't.
  
  Amazingly, most people still click on the damned things.
3. Re:Not new... by Anonymous Coward · 2010-09-03 06:03 · Score: 4, Funny
  
  How could you even think of browsing the internet without Internet Explorer 8 on Microsoft Windows 7? Do you realize that using knock-off "operating systems" and programs like Foxfire and Chrum and Oprah is intellectual property theft? Why do you think you fools are getting viruses? It's not cool. You're not slick and getting one over on "the man". It's fucking bullshit. Microsoft Internet Explorer 8 was designed and engineered to exacting standards to mesh flawlessly with the intricate security in Microsoft Windows 7. Your knock-off crap is not. Why do you freetards insist on removing your noses to spite your faces? Do you just tire of smelling your own bullshit? Microsoft Windows 7 and Microsoft Internet Explorer 8 are superior to this freetard shit in every possible way. Microsoft have invested billions of dollars in blood sweat and tears to deliver an exceptionally secure system and you people just take it for granted. What would you do if Microsoft were driven out of business because you thought you could steal from them and use Lumix and frebsd? You people disgust me with your Lunix and Crabble puke. Do you think you're special? Guess what... You're not! You can't think you can honestly get away with continually stealing the fruits of the billions of dollars Microsoft Research has invested in producing the intellectual property that you dorks so cavalierly pilfer to inject into your Gnom and KED and Quark shit. You all disgust me. You people need to look into the mirror and reevaluate your lives.
4. Re:Not new... by hairyfeet · 2010-09-03 06:12 · Score: 1
  
  Yep, looks to be just another spin on the Security Tool malware that has been going around for a couple of years now. I remove that crap at least twice a week at my shop. I've seen versions of it that looked like AdAware, like AVG, and like Norton. Of course the easiest to spot was the fake Norton, since it didn't slow the machine to a crawl and they actually wanted less money than Symantec charges, LOL!
  Seriously though ever since SP3 the OS has been less and less of an attack vector. More and more I'm seeing either social engineering or third party like Reader or Flash based attacks. Basically this just proves something I've thought for a long time, that even if you harden the OS ultimately it comes down to the user, and as you can see from TFA these malware guys are getting better every day when it comes to mimicry. As we saw with the Linux backdoor introduced via KDE themes or the hacked ID game editor, no OS is safe if a malware writer truly wants to target it, at least not as long as the user has the right to alter and install.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
5. Re:Not new... by paiute · 2010-09-03 06:12 · Score: 3, Funny
  
  How could you even think of browsing the internet without Internet Explorer 8 on Microsoft Windows 7?
  2/10: for using it's and your correctly.
  
  --
  If Slashdot were chemistry it would look like this:Cadaverine
6. Re:Not new... by camperslo · 2010-09-03 06:23 · Score: 2, Insightful
  
  Imitating warning pages or other elements of the UI is not a new tactic.
  Perhaps browsers could be developed to use some feature that 3rd party pages couldn't easily duplicate? It might not be practical to use colors/effects etc not supported by standard browser features, but maybe a browser could be designed to display some preset USER SPECIFIC DATA or graphic that javascript and other net-driven browser code does NOT have access to?
7. Re:Not new... by History's+Coming+To · 2010-09-03 06:35 · Score: 2, Insightful
  
  I need to look in a mirror and re-evaluate my life....
  
  Actually, it's a very, very good troll that brings up some interesting points, so I'll bite.
  
  The thrust of your argument is that older and/or non-company vended net software is dangerous when it comes to picking up viruses. There's an element of truth in that, a regularly patched system, be it *nix based or Windows is generally a good idea. This is, however, a different thing to having every possible update just for the sake of it. If I installed Windows and iTunes on my system simply because I *might* want to use them, or because everybody else has it, or because I saw an advert, then I'm opening myself up to new potential avenues of attack. Let's presume I only want to read the text on the internet....no pictures, no video, no Silverlight or whatever the latest thing is....I'd use a very bare-bones system, say Lynx running without a GUI, PDF support etc.
  
  If there's nothing running scripts at a system level, for example no JS, Flash, Java plugins and the like, then that's multiple attack routes taken care of. Sure, the modern internet is very snazzy and all, but being able to "install and run our video codec" is asking for trouble if you just want to look at naughty ladies. Less is often more.
  
  --
  Please consider this account deleted, I just can't be bothered with the spam anymore.
8. Re:Not new... by armanox · 2010-09-03 06:56 · Score: 1
  
  Let me ask you this Mr. Coward - can you show me what the free world has stolen from Microsoft?
  
  --
  I'm starting to think GNU is the problem with "GNU/Linux" these days.
9. Re:Not new... by Runaway1956 · 2010-09-03 07:04 · Score: 1
  
  I looked into the mirror. "How are you today, Mirrorimage?" "Oh, fine, except I get tired of hearing the Microsoft shills calling me thief, and worse." "Oh, don't worry about the shills. Do you realize what crummy lives they lead? Think about it." "Oh, wow - sucks to be so pathetic that you have to praise the unpraiseworthy. Suck even more to praise those unpraiseworthies who will never even notice or appreciate your pathetic noises." "Yep, you got it. I would rather BE a thief, than to be a shill. Not that I'm considering a life of crime or anything, but if I had to choose, I'd rather be a thief!"
  
  --
  "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
10. Re:Not new... by mlts · 2010-09-03 07:07 · Score: 1
  
  What I see as an attack vector are third party add-ons. You can have a secure browser, but if an add-on gets compromised, it is all for naught.
  What it really will take is hooks to OS level protection for the Web browser. Microsoft got something right with the low security mode of IE7/IE8 in Vista/W7, but it would be good to be able to isolate add-ons completely from each other on the OS basis so they don't even share the same memory space as the browser, and absolutely no filesystem space, unless the user wants to save cache or objects (saved games or whatnot.) Essentially, the only thing most add-ons need is to be fed code from the Web page, and given space to render their interactive output.
11. Re:Not new... by treeves · 2010-09-03 07:50 · Score: 1
  
  Didn't say it was a new technique or tactic, just a new piece of malware.
  Would you prefer they don't say it was new in the headline (makes it rather awkward: "Malware imitates warning pages"), don't report it at all, or what?
  
  --
  ...the future crusty old bastards are already drinking the Kool-Aid.
12. Re:Not new... by Xtifr · 2010-09-03 08:31 · Score: 1
  
  removing your noses to spite your faces
  I think that's supposed to be "removing your noses despite your faces". (Although I personally prefer "to spit in your faces".) :)
13. Re:Not new... by armanox · 2010-09-03 09:03 · Score: 1
  
  The article you site states an estimated development cost for the kernel. I requested evidence of something being stolen (usually refers to physical or intellectual property).
  
  --
  I'm starting to think GNU is the problem with "GNU/Linux" these days.
14. Re:Not new... by arth1 · 2010-09-03 16:47 · Score: 1
  
  Sure, the modern internet is very snazzy and all, but being able to "install and run our video codec" is asking for trouble if you just want to look at naughty ladies.
  Ah, but many aren't satisfied with that -- they want the ladies to move too, which requires a codec.
  
  Less is often more.
  But far from always. Less clothes (to continue using the naughty ladies example) isn't more in -40 degree weather, trust me. No more than needed for the purpose is a better rule of thumb. If your need is to play HDMI video from ajax sites, paring the machine down to lynx and xv just won't do.
15. Re:Not new... by fractoid · 2010-09-03 19:47 · Score: 1
  
  The thrust of your argument is that older and/or non-company vended net software is dangerous when it comes to picking up viruses.
  
  It is? I thought it was that Linux (and free software in general) was claimed to be a rip-off of commercial software developments' IP. Which, while definitely not true in the broadest sense, you could make a case for. A lot of free software intentionally duplicates functionality found in popular commercial software as a way to get around paying for said commercial software. The problem is that the initial design of software is far harder to get right than the implementation, and I can easily see how a commercial software company would feel ripped off if they spent hundreds of thousands of dollars on research into market research, interface design, focus testing, etc. and then some hobbyist downloaded the demo of results of their research and copied the design.
  
  --
  Rampant carbon sequestration destroyed the Dinosaurs' tropical paradise. I'm here to help repair the damage.
16. Re:Not new... by AmiMoJo · 2010-09-04 00:28 · Score: 1
  
  My bank has a user-selected image when logging in, just to prove that it is the real site. Unfortunately you can only select from a limited number of images (can't upload your own) but it does let you set two secret words that are displayed along with it.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
17. Re:Not new... by mcneely.mike · 2010-09-04 09:02 · Score: 1
  
  Sarcasm..... arr arr!
  Yes, i am a Lumix User, using Gnom.
  arr arr!
  
  --
  soylentnews.org Go there to enjoy the people!
18. Re:Not new... by Xtifr · 2010-09-07 06:43 · Score: 1
  
  Yes, and it's also "cutting off", not "removing". Sorry, I guess my attempt at humor fell a bit flat there.
Themes by characterZer0 · 2010-09-03 04:57 · Score: 5, Insightful

All the more reason to theme your window manager - it makes this stuff obvious.

--
Go green: turn off your refrigerator.
1. Re:Themes by clang_jangle · 2010-09-03 05:03 · Score: 1
  
  It's actually kind of hilarious sometimes to see windows-style fake error messages when browsing in Opera on FreeBSD.
  
  --
  Caveat Utilitor
2. Re:Themes by Smivs · 2010-09-03 05:05 · Score: 1
  
  It's actually kind of hilarious sometimes to see windows-style fake error messages when browsing in Opera on FreeBSD.
  Yeah, love 'em. Opera/Ubuntu
  
  --
  Smivs on the intertubes!
3. Re:Themes by qoncept · 2010-09-03 05:16 · Score: 5, Funny
  
  So now we're up to, what, 1 legitimate reasons?
  
  --
  Whale
4. Re:Themes by cheekyjohnson · 2010-09-03 05:32 · Score: 1
  
  Actually, even that isn't required. People just need to stop running random executable files that they find on the internet. Seriously, I don't even have anti-virus software and I don't even get viruses because I avoid stupid shit that's obviously a virus. Also, using IE doesn't help, either.
  
  --
  Filthy, filthy copyrapists!
5. Re:Themes by daedae · 2010-09-03 05:35 · Score: 1
  
  I saw one that replaced your HOSTS file to prevent you from going to symantec, kapersky, etc., and show a host not found error instead. Sadly, it wasn't clever enough to check your browser first, so it displayed the IE error page in Firefox.
6. Re:Themes by anorlunda · 2010-09-03 05:53 · Score: 1
  
  Uh thank you very much.
  Practical and immediately useful advice from a Slashdot comment. What will they think of next?
7. Re:Themes by maxwell+demon · 2010-09-03 05:57 · Score: 1
  
  Of course not. BTW, for your security, you should install KnowScript. You surely have heard about it. Get it at www.evilmalware.com :-)
  
  --
  The Tao of math: The numbers you can count are not the real numbers.
8. Re:Themes by Rick17JJ · 2010-09-03 06:02 · Score: 1
  
  I once encountered a fake "Microsoft Warning" message on my Linux computer. That was probably about 5 years ago. The "Microsoft Warning" said that spyware had been detected on my computer. The pop-up recommended purchasing a specific anti-virus product to fix the problem. Seeing the Microsoft pop-up was funny, since I did not have any Microsoft products at all installed on my computer.
  
  On two occasions since then, I have also been diverted to websites that claimed to have detected spyware and viruses on my computer. In both of those instances, I was browsing the Internet while using Firefox and Linux.
  
  After having supposedly detected viruses and spyware on my computer they offered to scan my hard drive. When I tried to say "No" or close the tab or close the pop-up or whatever, the advertisement reappeared and pretended to begin scanning my drive "C." A progress bar showed the progress. After finishing, it listed the viruses and spyware which had supposedly been found in my registry and on drive "C." However, Linux does not designate hard drives or partitions by drive letters and Linux also does not have a registry.
  
  My understanding is also that there has not yet been any problem with Linux viruses circulating in the wild. But, just to be safe, I looked up those virus names on the Internet, and found that they were listed as only affecting certain specific versions of Windows.
  
  In once instance, after again declining to purchase their virus scanner, a box popped up asking me what program to use to open the Windows executable file that the website was attempting to download to my computer. It also gave me the option of saving the file to wherever I wanted on my hard drive, or canceling the download.
9. Re:Themes by natehoy · 2010-09-03 06:18 · Score: 1
  
  My understanding is also that there has not yet been any problem with Linux viruses circulating in the wild.
  Not as much, but that doesn't make it impossible. Most Linux distro managers maintain ClamAV in their repositories. You might want to consider installing it.
  
  --
  "This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
10. Re:Themes by drumstik · 2010-09-03 06:21 · Score: 1
  
  That's actually not near enough these days - you're far behind the times ;) These days all you have to do is see an infected add that slipped through, open a malicious PDF, put in an infected flash drive, etc. It's really sad to see Slashdot users - people who are supposed to be the cream of the nerd crop - spouting this decade old stuff as if Conficker never existed. If you run Windows and do not run an antivirus solution, you are bad at computer security, full stop.
11. Re:Themes by Yvan256 · 2010-09-03 06:21 · Score: 1
  
  I get asked every month or so to help someone fix their bloated windows zombie machine. I always suggest switching, but nobody has tried it yet.
  Keep suggesting switching, help people switch if necessary. But for crying out loud, stop doing free technical support for Microsoft.
12. Re:Themes by marcosdumay · 2010-09-03 06:25 · Score: 1
  
  WTF is that, privilege unescalling? If you can already replace the HOSTS file, why would you change a page to get the user clicking on something?
  
  --
  Rethinking email
13. Re:Themes by cheekyjohnson · 2010-09-03 06:33 · Score: 1
  
  "you are bad at computer security, full stop."
  Odd because I've *never* gotten a virus, and I don't use shitty browsers such as IE. The solution really *is* to not be an idiot, and you will avoid 99% of malware. Exploits are possible, yes, but they happen rarely, and certainly never happen to me. Seriously, the only reason that poorly made malware gets so many people is because 99% of the people who own computers barely know how to work a television remote.
  
  --
  Filthy, filthy copyrapists!
14. Re:Themes by kevinmenzel · 2010-09-03 06:48 · Score: 1
  
  Because you couldn't do the same thing on Windows?
15. Re:Themes by cheekyjohnson · 2010-09-03 06:49 · Score: 1
  
  "then you are as at fault as anyone"
  At fault of what? That would be true if I had ever gotten a virus, but I haven't. In fact, no one I know that has any decent knowledge of computers has got a virus. Not because of some anti-virus software, but because they aren't complete idiots.
  
  --
  Filthy, filthy copyrapists!
16. Re:Themes by drumstik · 2010-09-03 06:52 · Score: 1
  
  I hope you're right, and you're lucky. Because if you're wrong, you likely wouldn't know it. You'd just spew out whatever infection vector the virus uses (and perhaps have some banking passwords stolen, as well).
17. Re:Themes by cheekyjohnson · 2010-09-03 06:59 · Score: 1
  
  Well, I do have anti-virus software, it's just not the kind that constantly looks out for viruses. I do scans every once in a while to get rid of spyware and such, but never really find any bad malware. I was mainly talking about the lack of need for that kind of anti-virus software.
  
  --
  Filthy, filthy copyrapists!
18. Re:Themes by Nadaka · 2010-09-03 07:26 · Score: 1
  
  There are have been a few over the years, just like for macs. Contrast that with 10s of thousands for windows.
19. Re:Themes by jpapon · 2010-09-03 07:32 · Score: 1
  
  The solution really *is* to not be an idiot, and you will avoid 99% of malware.
  
  Ah, but you see, I want to avoid all of it.
  
  --
  -- Let us endeavor so to live that when we pass even the undertaker shall be sorry. -- M. Twain
20. Re:Themes by cheekyjohnson · 2010-09-03 07:38 · Score: 1
  
  That's likely impossible, anyway. Even with anti-virus software. Even with Linux, as there is always a chance that someone will find something to exploit.
  
  --
  Filthy, filthy copyrapists!
21. Re:Themes by bheer · 2010-09-03 08:34 · Score: 3, Interesting
  
  I don't understand; how does theming your window manager help against this? I'm assuming the malware bit is *inside* the Google Chrome window, so even if you themed your windows with say a Pikachu theme, the *insides* of the Chrome window would still contain the rogue site, imitating Chrome's red and white-colored malware block UI.
  The only way out of this is if crucial error pages are protected with some sort of "sign-in seal", like Yahoo uses for its login screens.
  
  --
  Go somewhere random
22. Re:Themes by UnknowingFool · 2010-09-03 08:41 · Score: 1
  
  Not even that, just changing the color from the standard theme color is often enough. I don't know how many times I've seen Fisher Price blue "virus" warnings come up when my Windows theme color was silver.
  
  --
  Well, there's spam egg sausage and spam, that's not got much spam in it.
23. Re:Themes by Ichijo · 2010-09-03 09:13 · Score: 1
  
  All the more reason to theme your window manager - it makes this stuff obvious.
  Unless, of course, the malware reads your theme configuration file.
  
  --
  Any sufficiently unpopular but cohesive argument is indistinguishable from trolling.
24. Re:Themes by pandaman9000 · 2010-09-03 09:34 · Score: 1
  
  You've gotten no virus that you are AWARE of. Smart malware backdoors your PC and keylogs, or uses IRC or similar communication to escalate itself on command. You aren't likely to see that new service running within svchost. I never ran antivirus, until I realized that we are in an age where a decent AV has zero real impact on performance. Even a Windows box, if it is 64 bit, with a modest quad core and 4 or more gigs of RAM, will not feel most antivirus at all. Before you go ape over a modest desktop using 4 cores, realize that AMD has several retail quads between 120 and 200 bucks. I have actually not seen impact on 2.8 Ghz dual core Athlon X2s, as long as there was sufficient memory. The X2s are running sub-$100 right now.
25. Re:Themes by bill_mcgonigle · 2010-09-03 09:35 · Score: 1
  
  I don't understand; how does theming your window manager help against this?
  Theming probably doesn't, but assuming Google checks its dialogs for proper grammar probably does.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
26. Re:Themes by couchslug · 2010-09-03 10:02 · Score: 1
  
  "I don't understand; how does theming your window manager help against this? "
  It doesn't.
  If Windows users cared about avoiding these things, they'd browse using a virtual browser appliance, or browse using a second OS in a VM.
  Portable VirtualBox allows fun things like .rar'ing a backup copy of a complete VM plus the software to run it, so if your VM is compromised you can simply delete it and extract a fresh copy.
  http://www.dedoimedo.com/computers/portable-virtualbox.html
  
  --
  "This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
27. Re:Themes by cheekyjohnson · 2010-09-03 13:25 · Score: 1
  
  No, I really have no viruses. As I said in another post, I merely meant that I don't have an anti-virus software that is constantly running. However, I do scan my computer every now and again and never get any real viruses. Are you denying that if you're not a complete fucking idiot you can avoid 99% of malware? From what I've witnessed, most people are too easily fooled and download and run executable files without a second thought. Nearly all viruses can be avoided by simply being careful and less gullible, the rest, well, it's still unlikely that you'll get those.
  
  --
  Filthy, filthy copyrapists!
28. Re:Themes by fractoid · 2010-09-03 20:13 · Score: 1
  
  WTF is that, privilege unescalling? If you can already replace the HOSTS file, why would you change a page to get the user clicking on something?
  Because you don't want them downloading and running a cleanup tool that would remove you from their system.
  
  A few recent viruses/adbots/spambots/systemfuckers will do this. They'll do a few different tricks (patching I.E., changing hosts file, sabotaging downloads) to try and stop you from getting to any antivirus or recovery sites. It makes it virtually impossible to recover your system without a system cleanup live CD, which basically guarantees that your average non-technical user won't be able to fix their computer without outside help. Even with a cleanup util it's easier and safer to just back up all non-executable user data and then nuke the system from orbit.
  
  --
  Rampant carbon sequestration destroyed the Dinosaurs' tropical paradise. I'm here to help repair the damage.
29. Re:Themes by fractoid · 2010-09-03 20:19 · Score: 1
  
  These days all you have to do is see an infected add that slipped through, open a malicious PDF, put in an infected flash drive, etc. It's really sad to see Slashdot users - people who are supposed to be the cream of the nerd crop - spouting this decade old stuff as if Conficker never existed. If you run Windows and do not run an antivirus solution, you are bad at computer security, full stop.
  In my years of running Windows, I never used a resident AV program (although I did periodic online scans) and I got a virus exactly *once*, when someone emailed me an executable asking "hay is this a viruz??" and I (not being used to the trackpad on my new laptop) accidentally double-clicked instead of click-and-dragged.
  
  Then again I haven't run Windows at home for a few years now, so maybe it's rougher out there than it was. Back when I did run XP it was sufficient to just use a combination of Firefox, Adblock, Noscript, and a healthy dose of scepticism when clicking on anything.
  
  --
  Rampant carbon sequestration destroyed the Dinosaurs' tropical paradise. I'm here to help repair the damage.
30. Re:Themes by Compaqt · 2010-09-04 01:20 · Score: 1
  
  Yeah, I had that for a while. I couldn't reach microsoft.com. I would just think "Hmm", and close the browser tab.
  Only later did I find out I had Sasser and Conficker. Then I ditched XP for Ubuntu.
  
  --
  I'm not a lawyer, but I play one on the Internet. Blog
Why is this new? by HockeyPuck · 2010-09-03 05:00 · Score: 3, Insightful

There's plenty of rogue/fake AntiVirus programs out there. Is the new part that they imitate your browser rather than looking like a real anti virus program?
1. Re:Why is this new? by nigelo · 2010-09-03 05:24 · Score: 1
  
  Well, let's see now; from RTFS:
  "auto-detects a user's browser and then imitates the relevant malware warning pages from Internet Explorer, Firefox, or Chrome...relying on the user's trust in their browser, a tactic that hasn't been seen before".
  So, mebbe?
  
  --
  *Still* negative function...
2. Re:Why is this new? by Even+on+Slashdot+FOE · 2010-09-03 05:53 · Score: 1
  
  All of the ones I have seen so far have no idea what I am running, so that sound like a new trick.
Possible solution by OnePumpChump · 2010-09-03 05:03 · Score: 3, Interesting

The first time the browser is used, create a security image like bank websites use. Store that image or the word used to generate it someplace where the malware will presumably not be able to access it.
1. Re:Possible solution by Darkness404 · 2010-09-03 05:07 · Score: 1
  
  It already looks different than the genuine protection page (where it says to download and "upgrade") and so for the technically savvy people that should be an obvious red flag, for everyone else, they wouldn't know the difference with or without a security image.
  
  --
  Taxation is legalized theft, no more, no less.
2. Re:Possible solution by jeffmeden · 2010-09-03 05:30 · Score: 1
  
  "Proven antivirus protection fin one click!"
  Whether it's shark fin, mahi fin, or tuna fin is user-selectable...
3. Re:Possible solution by Nadaka · 2010-09-03 07:32 · Score: 1
  
  "Proven antivirus protection fin one click!"
  Whether it's shark fin, mahi fin, or tuna fin is user-selectable...
  They are french mal-ware writers.
  What they really mean is "Proven antivirus protection ends in one click!"
4. Re:Possible solution by Thaelon · 2010-09-03 08:08 · Score: 1
  
  There's a study out there that has proven that those security images don't work.
  
  --
  Question everything
The new part of this by querist · 2010-09-03 05:05 · Score: 5, Informative

One part is old - imitating the web browser error page, specifically the IE error page. I've had many a chuckle when running Galleon or some other Linux browser and seeing it pop up a well-imitated IE error page. The new part on this one is that they're checking which browser it is and making sure the error page matches the browser.
1. Re:The new part of this by jj110888 · 2010-09-03 07:15 · Score: 1
  
  I've had many a chuckle when running Galleon or some other Linux browser and seeing it pop up a well-imitated IE error page.
  They don't. IIS by default uses error pages that look very much like IE's. Newer version of firefox and all versions of Chrome ignore them (I think it does a file size test)
Get all the details at the conference. by Just_Say_Duhhh · 2010-09-03 05:06 · Score: 1

Is this just an advance posting of a presentation at MalCon?
These guys really need a conference to hone their skills, and take advantage of everyone who doesn't read /. daily (because those of us who do read /. daily are too smart to be conned by these losers). Right?

--
I need trepanation like I need a hole in the head.
1. Re:Get all the details at the conference. by NevarMore · 2010-09-03 06:20 · Score: 1
  
  (because those of us who do read /. daily are too smart to be conned by these losers). Right?
  I see that you are new here.
Bit of Advice by kid_wonder · 2010-09-03 05:08 · Score: 2, Insightful

You spend all this time writing this creative software (malware)...
Try fracking finding someone who can proofread your english; it's abysmal and frankly embarrassing. I realize it is not your native language but this lack of attention to detail is exactly the reason you find yourself writing malware in the first place ... oh and why the only people you manage to trick into this are on the bottom side of the intelligence bell curve.

--

"Oh, you hate your job? There's a support group for that, it's called everyone, they meet at the bar."
1. Re:Bit of Advice by click2005 · 2010-09-03 05:22 · Score: 1
  
  I would say let those idiots get scammed if they're stupid enough to fall for this sort of obvious fake.
  Unfortunately it'll only get worse until some politicians get paid to propose a bill that will
  require IPSs to filter bad traffic to protect Joe Public. ISPs will of course use that as an excuse to
  get around any net neutrality rules that get proposed. Eventually all traffic not pre-approved will get
  filtered/blocked/downgraded.
  
  --
  I am a free slashdotter. I will not be modded, blogged, DRM'd, patented, podcasted or RFID'd. My life is my own.
2. Re:Bit of Advice by Beerdood · 2010-09-03 05:29 · Score: 1
  
  Lol at the firefox warning button here
  
  "Get me our of here and upgrade"
  
  So what, you're getting me one more 'our of browsing on this site before I have to upgrade? Allright, I'll upgrade in an hour.
  
  --
  Global warming and other natural disasters are a direct effect of the shrinking number of pirates - Gospel of the FSM
3. Re:Bit of Advice by jeffmeden · 2010-09-03 05:32 · Score: 1
  
  Thanks you for a advice. Are you available profread for me? Pay $1000 day, work at home. Send name and bank number to malgod@malgot.org an will advance you paymet for first work.
  Corrction: malgod@malgod.org
  You owe me $1000, send me your bank account number and I will collect the fee directly.
4. Re:Bit of Advice by cheekyjohnson · 2010-09-03 05:34 · Score: 2, Insightful
  
  "oh and why the only people you manage to trick into this are on the bottom side of the intelligence bell curve."
  So... 99% of the people that own computers?
  
  --
  Filthy, filthy copyrapists!
5. Re:Bit of Advice by RJHelms · 2010-09-03 05:38 · Score: 2, Interesting
  
  I was going to post exactly this. The sample Google Chrome image in the article is immediately obvious as a fake because real Chrome warning pages have proper subject-verb agreement and don't have character encoding images. I imagine Firefox warning pages don't have the two buttons overlapping.
  I'm really forced to wonder this about a lot of malware and phishing scams - I somewhat frequently get e-mails telling me I won an "iPhone-4G" on "Facebooks", how hard it is to get those right?
  At the same time, I think you hit on exactly why they don't bother with this. The bottom side of the intelligence bell curve is still half of the people who will see the page, and they are the same people who are more likely to fall for it even when there are no errors with the English. I imagine it simply doesn't pay to shell out any amount of money for proofreading.
6. Re:Bit of Advice by LocalH · 2010-09-03 05:42 · Score: 3, Funny
  
  Corrction: malgod@malgod.org
  Correction: "Correction"
  You owe me $10,000, as I'm charging my standard rates for proofreading for proofreaders.
  
  --
  FC Closer
7. Re:Bit of Advice by flimflammer · 2010-09-03 06:08 · Score: 2, Insightful
  
  oh and why the only people you manage to trick into this are on the bottom side of the intelligence bell curve.
  I disagree with this line entirely.
  Sure, those of us at Slashdot may realize the obvious attempts at breaching our computers safety, but not everyone realizes they need to distrust and scrutinize every little thing they come across, especially when it looks like a very legitimate message from the browser itself (English errors notwithstanding). Even still, that doesn't make the completely stupid, just naive.
8. Re:Bit of Advice by bill_mcgonigle · 2010-09-03 09:42 · Score: 1
  
  oh and why the only people you manage to trick into this are on the bottom side of the intelligence bell curve.
  Why would they want to compromise your computer? You're smart enough to notice and take action, it'll be out of their botnet in hours. That's just more accounting and command-and-control overhead for little benefit.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
9. Re:Bit of Advice by EvilIdler · 2010-09-03 09:45 · Score: 1
  
  When people who actually sell the damn phones can't get it right (one major phone company sells "iPhone 4GS" here), I think most people aren't even sure how to spell most products they own. I've seen Toyota-owners misspell the brand of their car in creative ways too. Don't expect too much.
10. Re:Bit of Advice by idontgno · 2010-09-03 09:58 · Score: 1
  
  not everyone realizes they need to distrust and scrutinize every little thing they come across, especially when it looks like a very legitimate message from the browser itself (English errors notwithstanding).
  Experience keeps a dear school, but fools will learn in no other.
  -- Ben Franklin
  
  --
  Welcome to the Panopticon. Used to be a prison, now it's your home.
11. Re:Bit of Advice by arth1 · 2010-09-03 16:55 · Score: 1
  
  Naivety is a special branch of stupidity.
  If you default to trusting, you are stupid, but far from alone. There's one born every minute.
Security Fix Schedule by ackthpt · 2010-09-03 05:21 · Score: 2, Interesting

Firefox will have it fixed within hours.
Chrome will have it fixed within days.
Microsoft will issue a patch with in months.

--

A feeling of having made the same mistake before: Deja Foobar
1. Re:Security Fix Schedule by nasalicio · 2010-09-03 05:50 · Score: 1
  
  If that wasn't so true it'd be hilarious. Sadly, too, you can be assured that if/when MS does release a patch, they will wait until a Tuesday to do so.
2. Re:Security Fix Schedule by mrsquid0 · 2010-09-03 06:03 · Score: 2, Insightful
  
  > Firefox will have it fixed within hours.
  > Chrome will have it fixed within days.
  > Microsoft will issue a patch with in months.
  Apple will ignore it.
  
  --
  Just because you are paranoid does not mean that no-one is out to get you.
3. Re:Security Fix Schedule by blai · 2010-09-03 07:01 · Score: 1
  
  Microsoft will issue a patch with in months.
  Microsoft will issue a patch?
  
  --
  In soviet Russia, God creates you!
4. Re:Security Fix Schedule by gaspyy · 2010-09-03 07:55 · Score: 4, Insightful
  
  That'd be the day - when a browser developer can issue a patch for human stupidity.
But that web site was SECURE! by Junior+J.+Junior+III · 2010-09-03 05:22 · Score: 4, Funny

The .gif image of a shield SAID SO!

--
You see? You see? Your stupid minds! Stupid! Stupid!
1. Re:But that web site was SECURE! by jeffmeden · 2010-09-03 05:35 · Score: 1
  
  This part never fails to amuse me. An arbitrary image that happens to say "it's safe because I said so, and look; I even know what day it is today!" makes me feel GREAT about the web site. It needs to say "go find the lock icon in your browser. does it look locked? good. on your way."
Linux users by digitalhermit · 2010-09-03 05:31 · Score: 1

Bastards, I use Elinks. Couldn't they at least humor me and do background=#00000000 and set the font to courier 10 in neon green?
Your Post is at Virus Risk!1! Scan? by ackthpt · 2010-09-03 05:32 · Score: 3, Funny

The biggest security hole is Microsoft's version of the javascript interpreter. They should collaborate with Google and adopt the rewrite for Chrome, it would solve half the problems right there.
BTW, I found a virius in yor post - clikc this link to free triel of PostScan 2010!

--

A feeling of having made the same mistake before: Deja Foobar
IE 9 won't share WSH's JS interpreter by tepples · 2010-09-03 05:41 · Score: 3, Interesting

The biggest security hole is Microsoft's version of the javascript interpreter.
IE 9 will not use Windows Script Host's JavaScript interpreter. I predict that this change will make it easier for Microsoft to maintain the integrity of the sandbox.
1. Re:IE 9 won't share WSH's JS interpreter by JamesTRexx · 2010-09-03 07:59 · Score: 1
  
  And topping that off I use Sandboxie with Firefox on the Windows machines.
  
  --
  home
2. Re:IE 9 won't share WSH's JS interpreter by tepples · 2010-09-04 04:23 · Score: 1
  
  Why wait for IE 9 to not use WSH when I have a choice of great browsers that I can use right now that also don't use WSH?
  Because you still need to use IE 8 even if only to download one of those great browsers. This reduces but does not eliminate your window of vulnerability.
Malware? by dandart · 2010-09-03 06:02 · Score: 2, Funny

Is there a Linux port? I'd love some malware. I miss having people trying to install software on my computer without permission! Maybe I should go get a Mac.
1. Re:Malware? by Yvan256 · 2010-09-03 06:16 · Score: 1
  
  What's funny is all those fake warning boxes trying to trick me.
  "Windows XP has detected a problem!" ...really? I thought my Mac mini was running Snow Leopard!? I guess I was wrong!
Just Hurting Kids and Old People by ideonexus · 2010-09-03 06:15 · Score: 4, Interesting

What offends me most about these malware tactics is that I'm savvy enough to recognize the spoof, but the low income kids and old people in my neighborhood aren't. I know not to click on anything that pops up in my browser when I'm surfing, but every week I get people on my porch needing help cleaning out their infected systems, which I do and they get infected again within a week. How can these malware authors take pride in preventing little kids and old people access to the Internet or their software? Where's the sport? What pathetic losers.

--
i ~ Celebrating Science, Cyberspace, Speculation
1. Re:Just Hurting Kids and Old People by smegmatic · 2010-09-03 06:52 · Score: 1
  
  Malware authors are not the first dishonest people to make money off of children and old people. I doubt they care if you think they are "pathetic losers". I doubt they take pride in what they do. I doubt they're doing it for sport. They just want some money.
2. Re:Just Hurting Kids and Old People by hairyfeet · 2010-09-03 08:49 · Score: 1
  
  Want to be able to fix it once and be done? And not cost you a penny? Allow your old pal Hairyfeet tell you how brother. Just install Comodo AV and follow it up with Comodo Time Machine.
  Comodo AV has a built in sandbox and its default action is to sandbox everything you don't explicitly tell it not to, that way it shuts down even zero days that it doesn't have a signature to (but I've found its heuristics catches those anyway, but it never hurts to have extra protection) and you follow that up with Comodo Time Machine in case the clueless user keeps going "clicky clicky" in spite of the AV trying to stop them, or in some other way borks the PC. It'll even let you restore a non booting PC back to an earlier time via the F11 key on boot.
  Put those two together brother and watch your headaches diminish. My GF lives 2 hours away and when she forgot to log off her PC and her niece screwed the PC to non boot status it took me a grand total of 15 minutes via phone to have her back good as new. Both are 100% free, no nagging, no emails, nothing. Can't beat easy AND free!
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
3. Re:Just Hurting Kids and Old People by iopha · 2010-09-03 13:48 · Score: 1
  
  Wikipedia tells me that some of the people pushing this "rogue software" that masquerades as legitimate security product clear hundreds of thousands of dollars per month. These aren't the hackers of yore, hunting for vulnerabilities as a kind of intellectual exercise, or just looking to crow about their exploits on IRC. There's money to be made, not like twenty years ago, when you'd get the Stoned virus from a dial-up BBS download of an ANSI art editor and kind of think it was neat.
4. Re:Just Hurting Kids and Old People by WillDraven · 2010-09-03 15:41 · Score: 2, Informative
  
  The fucked up thing about the whole thing is most of these malware writers are kids and/or people with kids in shitty environments. They do work like this because Bob down the street bought a new bike with the money he made selling spam bots, and my kids are fucking starving, so fuck those rich people I'm infecting their computers to send spam to pay my bills.
  You want to get rid of spam and malware?
  Fix the global economy so nobody is poor.
  
  --
  This is my sig. There are many like it but this one is mine.
What about us? by Yvan256 · 2010-09-03 06:23 · Score: 2, Insightful

...auto-detects a user's browser and then imitates the relevant malware warning pages from Internet Explorer, Firefox, or Chrome.

What about Safari and Opera users?
1. Re:What about us? by RJHelms · 2010-09-03 06:39 · Score: 1
  
  Real Safari users use Chrome.
2. Re:What about us? by Yvan256 · 2010-09-03 06:51 · Score: 1
  
  I know both use Webkit, but I think they use different Javascript engines.
3. Re:What about us? by Yvan256 · 2010-09-03 08:29 · Score: 1
  
  Safari is available on Mac OS X, Windows, iPhone, iPod touch and iPad.
  Opera is avaiable on Mac OS X, Windows, Linux, Nintendo Wii and Nintendo DSi, and a shitload of smartphones.
  Still think there's only three Safari or Opera users?
4. Re:What about us? by SudoGhost · 2010-09-03 08:55 · Score: 1
  
  Opera is avaiable on Mac OS X, Windows, Linux, Nintendo Wii and Nintendo DSi, and a shitload of smartphones.
  Opera is also available for the iPhone, iPod Touch, and iPad.
5. Re:What about us? by Yvan256 · 2010-09-03 10:38 · Score: 1
  
  It's not Opera, it's Opera mini. Almost the same name, huge difference.
6. Re:What about us? by SudoGhost · 2010-09-08 17:07 · Score: 1
  
  Which is different than the Safari available for the iPhone?
Seen it by ReederDa · 2010-09-03 06:38 · Score: 2, Interesting

I've actually seen this malware in action. If you're infected and it decides to start running, there's not really much you can do. Disables the task manager as well. Library computers are most at risk.
1. Re:Seen it by WildBlueYonder · 2010-09-03 06:45 · Score: 2, Informative
  
  Not only does it disable the task manager, this (or a variant of it) disables Control Panel and ways to get to useful parts of the control panel without going through it (like running msconfig.exe directly). They also change your proxy settings on your web browsers so that you can't go online to attempt to trouble shoot the problem. At this point even an above-average computer user can be flummoxed as most of the basic tools are taken away from them. Although after this point they kinda drop the ball. Once you go into safe mode and look at the start up tasks the offending processes have been random collections of letters. Seems odd that they don't name themselves "Microsoft Security Panel" or something else like that.
2. Re:Seen it by cbhacking · 2010-09-03 21:50 · Score: 1
  
  Disabling task manager means nothing.
  %windir%\system32\perfmon.exe /res - resource monitor. All the information you can get from Taskmgr, and a whole lot more. For bonus point,s it allows you to suspend (without killing) processes. There's a lot of malware that won't auto-resume a suspended process but will auto-restart a killed one.
  tasklist/taskkill - ps and kill for Windows. Not as powerful as either, but perfectly valid tools for killing problematic processes.
  Powershell (included with recent Windows versions) - includes the Get-Process and Stop-Process commands (conveniently aliased to ps and kill for the Unix-users among us). Very powerful indeed. If you do any Windows maintenance, Powershell should be part of your toolbox.
  
  --
  There's no place I could be, since I've found Serenity...
Firefox personas by Burz · 2010-09-03 07:30 · Score: 1

I thought it was weird of Mozilla to push the personas idea since it seems tacky. But it's true that the window frame represents the security context for an application like a web browser, and a uniform customization of the frame would make the browser more secure against window imitation threats.
Grammar by yoyhed · 2010-09-03 07:45 · Score: 1

Looking at these new screenshots, they STILL have fucking grammar issues. If I'm going to fall for something, it's not going to be an error page with spelling errors and unnecessary exclamation points. How hard would it be for these fuckers to find a native English speaker to proofread their shit for them? Jeez.

--
WHO NEEDS SHIFT WHEN YOU HAVE CAPSLOCK/ DAMN1
This is why i still use lynx by Nyder · 2010-09-03 12:21 · Score: 1

God I love lynx. Can't infect my shit.
Of course, i have to borrow my neighbors computer to post here, lynx don't do web 2.0.
But I'm sure there's be a lynxweb2.0 fork anytime now...

--
Be seeing you...
Users must pass the Turing test - no exceptions by Torodung · 2010-09-03 13:45 · Score: 1

The solution to this problem is to teach users to think for themselves, and to understand what's being asked of them. You sure as hell wouldn't trust a brand new doctor if he put you in for major surgery/medications after simply taking your weight ("Ooh, you're heavy, let's put a staple in your stomach"), why would you trust some inane browser message to do the same to your computer?
Any user must know what their level of aptitude is, know their limitations, and think for themselves (which is not the same as DIY or "trust no one"), to arrive at a solution that is circumspect of the user's knowledge level, perhaps supplemented by a trusted friend or paid professional. Any real pain can generally be avoided. But the defense must be human based, and must pass a Turing test, as this cannot be automated.
Software tools work for a thinking user, they don't think for the user.
Any company who claims their product makes security simple is full of it. The idea of a computer "so simple a child can use it" is a myth, or at least an unattained aspiration. So is easy security, for the foreseeable future. It takes at least one thinking adult human being to design, operate and maintain any machine.
Specifically, users also need to know the level of severity of "privilege escalation," and what constitutes such escalation in their environment. It's like signing a contract. You don't sign one without reading it. Sometimes all it takes is a single mouse click, and that's ridiculous. At a bare minimum, a user should know why they're escalating, what process is getting the escalation, and that it is warranted. They have to read the contract.
UAC leans too far toward "one click" casualness/simplicity, IMO. I much prefer the way sudo works. Since it requires a password, and generally GUI implementations accent that "administrative tasks" are about to be performed and the password is required, it puts a bullet point on the level of importance of what is being asked.
--
Toro
MSHTML by tepples · 2010-09-04 04:22 · Score: 1

But then how can they claim that IE is an "integrated part of the OS" and not removable?
By continuing to use MSHTML for the help system. "Internet Explorer" itself is an insignificant piece of code, acting as a wrapper around an MSHTML browser control.
Your Post is at Virus Risk!1! Scan? Retry? Abort? by mcneely.mike · 2010-09-04 09:22 · Score: 1

"The biggest security hole is Microsoft's version of the javascript interpreter."
Let me fix that for you.....
The biggest security hole is Microsoft's versions of operating systems... or what they laughingly call an "operating" system *cough-cough*

--
soylentnews.org Go there to enjoy the people!
Pay Who Exactly? by EvilDroid · 2010-09-09 08:31 · Score: 1

It seems just stunningly obvious that
1. This is a deceptive scam.
2. They are stealing people's money via easily proven fraud
3. The perpetrators should be easily identified by whoever cashes the cheques
What am I missing here?