New Malware Imitates Browser Warning Pages

← Back to Stories (view on slashdot.org)

New Malware Imitates Browser Warning Pages

Posted by Soulskill on Friday September 3, 2010 @04:53AM from the good-thing-nobody-ever-mindlessly-clicks-through-those dept.

Jake writes with this excerpt from Ars: "Microsoft is warning about a new piece of malware, Rogue:MSIL/Zeven, that auto-detects a user's browser and then imitates the relevant malware warning pages from Internet Explorer, Firefox, or Chrome. The fake warning pages are very similar to the real thing; you have to look closely to realize they aren't the real thing. The ploy is a basic social engineering scheme, but in this case the malware authors are relying on the user's trust in their browser, a tactic that hasn't been seen before. Beyond the warning pages, the actual malware looks like the real deal: it allows you to scan files, tells you when you're behind on your updates, and enables you to change your security and privacy settings. Performing a scan results in the product finding malicious files, but of course it cannot delete them unless you update, which requires paying for the full version. Attempting to buy the product will open an HTML window that provides a useless 'Safe Browsing Mode' with high-strength encryption. To top it all off, the rogue antivirus webpage looks awfully similar to the Microsoft Security Essentials webpage; even the awards received by MSE and a link to the Microsoft Malware Protection Center have been copied."

29 of 143 comments (clear)

Min score:

Reason:

Sort:

Not new... by Darkness404 · 2010-09-03 04:55 · Score: 2, Informative

Imitating warning pages or other elements of the UI is not a new tactic. Back in the 90s and 2000s there were lots of "You are the 223423424th person to view this page" banners that were deliberately trying to imitate Windows 9X or XP.

--
Taxation is legalized theft, no more, no less.
1. Re:Not new... by _133MHz · 2010-09-03 05:54 · Score: 2, Interesting
  
  Another way to make these really obvious is to use your operating system with any language other than English. Malware writers don't bother with localization, so their fake error messages always display in English regardless of your actual OS language. Even the USB autorun viruses are dead easy to spot, you know something's fishy when there's a lonely English menu option in the Autorun dialog, usually "Open folder to view files" while the rest aren't.
  
  Amazingly, most people still click on the damned things.
2. Re:Not new... by Anonymous Coward · 2010-09-03 06:03 · Score: 4, Funny
  
  How could you even think of browsing the internet without Internet Explorer 8 on Microsoft Windows 7? Do you realize that using knock-off "operating systems" and programs like Foxfire and Chrum and Oprah is intellectual property theft? Why do you think you fools are getting viruses? It's not cool. You're not slick and getting one over on "the man". It's fucking bullshit. Microsoft Internet Explorer 8 was designed and engineered to exacting standards to mesh flawlessly with the intricate security in Microsoft Windows 7. Your knock-off crap is not. Why do you freetards insist on removing your noses to spite your faces? Do you just tire of smelling your own bullshit? Microsoft Windows 7 and Microsoft Internet Explorer 8 are superior to this freetard shit in every possible way. Microsoft have invested billions of dollars in blood sweat and tears to deliver an exceptionally secure system and you people just take it for granted. What would you do if Microsoft were driven out of business because you thought you could steal from them and use Lumix and frebsd? You people disgust me with your Lunix and Crabble puke. Do you think you're special? Guess what... You're not! You can't think you can honestly get away with continually stealing the fruits of the billions of dollars Microsoft Research has invested in producing the intellectual property that you dorks so cavalierly pilfer to inject into your Gnom and KED and Quark shit. You all disgust me. You people need to look into the mirror and reevaluate your lives.
3. Re:Not new... by paiute · 2010-09-03 06:12 · Score: 3, Funny
  
  How could you even think of browsing the internet without Internet Explorer 8 on Microsoft Windows 7?
  2/10: for using it's and your correctly.
  
  --
  If Slashdot were chemistry it would look like this:Cadaverine
4. Re:Not new... by camperslo · 2010-09-03 06:23 · Score: 2, Insightful
  
  Imitating warning pages or other elements of the UI is not a new tactic.
  Perhaps browsers could be developed to use some feature that 3rd party pages couldn't easily duplicate? It might not be practical to use colors/effects etc not supported by standard browser features, but maybe a browser could be designed to display some preset USER SPECIFIC DATA or graphic that javascript and other net-driven browser code does NOT have access to?
5. Re:Not new... by History's+Coming+To · 2010-09-03 06:35 · Score: 2, Insightful
  
  I need to look in a mirror and re-evaluate my life....
  
  Actually, it's a very, very good troll that brings up some interesting points, so I'll bite.
  
  The thrust of your argument is that older and/or non-company vended net software is dangerous when it comes to picking up viruses. There's an element of truth in that, a regularly patched system, be it *nix based or Windows is generally a good idea. This is, however, a different thing to having every possible update just for the sake of it. If I installed Windows and iTunes on my system simply because I *might* want to use them, or because everybody else has it, or because I saw an advert, then I'm opening myself up to new potential avenues of attack. Let's presume I only want to read the text on the internet....no pictures, no video, no Silverlight or whatever the latest thing is....I'd use a very bare-bones system, say Lynx running without a GUI, PDF support etc.
  
  If there's nothing running scripts at a system level, for example no JS, Flash, Java plugins and the like, then that's multiple attack routes taken care of. Sure, the modern internet is very snazzy and all, but being able to "install and run our video codec" is asking for trouble if you just want to look at naughty ladies. Less is often more.
  
  --
  Please consider this account deleted, I just can't be bothered with the spam anymore.
Themes by characterZer0 · 2010-09-03 04:57 · Score: 5, Insightful

All the more reason to theme your window manager - it makes this stuff obvious.

--
Go green: turn off your refrigerator.
1. Re:Themes by qoncept · 2010-09-03 05:16 · Score: 5, Funny
  
  So now we're up to, what, 1 legitimate reasons?
  
  --
  Whale
2. Re:Themes by bheer · 2010-09-03 08:34 · Score: 3, Interesting
  
  I don't understand; how does theming your window manager help against this? I'm assuming the malware bit is *inside* the Google Chrome window, so even if you themed your windows with say a Pikachu theme, the *insides* of the Chrome window would still contain the rogue site, imitating Chrome's red and white-colored malware block UI.
  The only way out of this is if crucial error pages are protected with some sort of "sign-in seal", like Yahoo uses for its login screens.
  
  --
  Go somewhere random
Why is this new? by HockeyPuck · 2010-09-03 05:00 · Score: 3, Insightful

There's plenty of rogue/fake AntiVirus programs out there. Is the new part that they imitate your browser rather than looking like a real anti virus program?
Possible solution by OnePumpChump · 2010-09-03 05:03 · Score: 3, Interesting

The first time the browser is used, create a security image like bank websites use. Store that image or the word used to generate it someplace where the malware will presumably not be able to access it.
The new part of this by querist · 2010-09-03 05:05 · Score: 5, Informative

One part is old - imitating the web browser error page, specifically the IE error page. I've had many a chuckle when running Galleon or some other Linux browser and seeing it pop up a well-imitated IE error page. The new part on this one is that they're checking which browser it is and making sure the error page matches the browser.
Bit of Advice by kid_wonder · 2010-09-03 05:08 · Score: 2, Insightful

You spend all this time writing this creative software (malware)...
Try fracking finding someone who can proofread your english; it's abysmal and frankly embarrassing. I realize it is not your native language but this lack of attention to detail is exactly the reason you find yourself writing malware in the first place ... oh and why the only people you manage to trick into this are on the bottom side of the intelligence bell curve.

--

"Oh, you hate your job? There's a support group for that, it's called everyone, they meet at the bar."
1. Re:Bit of Advice by cheekyjohnson · 2010-09-03 05:34 · Score: 2, Insightful
  
  "oh and why the only people you manage to trick into this are on the bottom side of the intelligence bell curve."
  So... 99% of the people that own computers?
  
  --
  Filthy, filthy copyrapists!
2. Re:Bit of Advice by RJHelms · 2010-09-03 05:38 · Score: 2, Interesting
  
  I was going to post exactly this. The sample Google Chrome image in the article is immediately obvious as a fake because real Chrome warning pages have proper subject-verb agreement and don't have character encoding images. I imagine Firefox warning pages don't have the two buttons overlapping.
  I'm really forced to wonder this about a lot of malware and phishing scams - I somewhat frequently get e-mails telling me I won an "iPhone-4G" on "Facebooks", how hard it is to get those right?
  At the same time, I think you hit on exactly why they don't bother with this. The bottom side of the intelligence bell curve is still half of the people who will see the page, and they are the same people who are more likely to fall for it even when there are no errors with the English. I imagine it simply doesn't pay to shell out any amount of money for proofreading.
3. Re:Bit of Advice by LocalH · 2010-09-03 05:42 · Score: 3, Funny
  
  Corrction: malgod@malgod.org
  Correction: "Correction"
  You owe me $10,000, as I'm charging my standard rates for proofreading for proofreaders.
  
  --
  FC Closer
4. Re:Bit of Advice by flimflammer · 2010-09-03 06:08 · Score: 2, Insightful
  
  oh and why the only people you manage to trick into this are on the bottom side of the intelligence bell curve.
  I disagree with this line entirely.
  Sure, those of us at Slashdot may realize the obvious attempts at breaching our computers safety, but not everyone realizes they need to distrust and scrutinize every little thing they come across, especially when it looks like a very legitimate message from the browser itself (English errors notwithstanding). Even still, that doesn't make the completely stupid, just naive.
Security Fix Schedule by ackthpt · 2010-09-03 05:21 · Score: 2, Interesting

Firefox will have it fixed within hours.
Chrome will have it fixed within days.
Microsoft will issue a patch with in months.

--

A feeling of having made the same mistake before: Deja Foobar
1. Re:Security Fix Schedule by mrsquid0 · 2010-09-03 06:03 · Score: 2, Insightful
  
  > Firefox will have it fixed within hours.
  > Chrome will have it fixed within days.
  > Microsoft will issue a patch with in months.
  Apple will ignore it.
  
  --
  Just because you are paranoid does not mean that no-one is out to get you.
2. Re:Security Fix Schedule by gaspyy · 2010-09-03 07:55 · Score: 4, Insightful
  
  That'd be the day - when a browser developer can issue a patch for human stupidity.
But that web site was SECURE! by Junior+J.+Junior+III · 2010-09-03 05:22 · Score: 4, Funny

The .gif image of a shield SAID SO!

--
You see? You see? Your stupid minds! Stupid! Stupid!
Your Post is at Virus Risk!1! Scan? by ackthpt · 2010-09-03 05:32 · Score: 3, Funny

The biggest security hole is Microsoft's version of the javascript interpreter. They should collaborate with Google and adopt the rewrite for Chrome, it would solve half the problems right there.
BTW, I found a virius in yor post - clikc this link to free triel of PostScan 2010!

--

A feeling of having made the same mistake before: Deja Foobar
IE 9 won't share WSH's JS interpreter by tepples · 2010-09-03 05:41 · Score: 3, Interesting

The biggest security hole is Microsoft's version of the javascript interpreter.
IE 9 will not use Windows Script Host's JavaScript interpreter. I predict that this change will make it easier for Microsoft to maintain the integrity of the sandbox.
Malware? by dandart · 2010-09-03 06:02 · Score: 2, Funny

Is there a Linux port? I'd love some malware. I miss having people trying to install software on my computer without permission! Maybe I should go get a Mac.
Just Hurting Kids and Old People by ideonexus · 2010-09-03 06:15 · Score: 4, Interesting

What offends me most about these malware tactics is that I'm savvy enough to recognize the spoof, but the low income kids and old people in my neighborhood aren't. I know not to click on anything that pops up in my browser when I'm surfing, but every week I get people on my porch needing help cleaning out their infected systems, which I do and they get infected again within a week. How can these malware authors take pride in preventing little kids and old people access to the Internet or their software? Where's the sport? What pathetic losers.

--
i ~ Celebrating Science, Cyberspace, Speculation
1. Re:Just Hurting Kids and Old People by WillDraven · 2010-09-03 15:41 · Score: 2, Informative
  
  The fucked up thing about the whole thing is most of these malware writers are kids and/or people with kids in shitty environments. They do work like this because Bob down the street bought a new bike with the money he made selling spam bots, and my kids are fucking starving, so fuck those rich people I'm infecting their computers to send spam to pay my bills.
  You want to get rid of spam and malware?
  Fix the global economy so nobody is poor.
  
  --
  This is my sig. There are many like it but this one is mine.
What about us? by Yvan256 · 2010-09-03 06:23 · Score: 2, Insightful

...auto-detects a user's browser and then imitates the relevant malware warning pages from Internet Explorer, Firefox, or Chrome.

What about Safari and Opera users?
Seen it by ReederDa · 2010-09-03 06:38 · Score: 2, Interesting

I've actually seen this malware in action. If you're infected and it decides to start running, there's not really much you can do. Disables the task manager as well. Library computers are most at risk.
1. Re:Seen it by WildBlueYonder · 2010-09-03 06:45 · Score: 2, Informative
  
  Not only does it disable the task manager, this (or a variant of it) disables Control Panel and ways to get to useful parts of the control panel without going through it (like running msconfig.exe directly). They also change your proxy settings on your web browsers so that you can't go online to attempt to trouble shoot the problem. At this point even an above-average computer user can be flummoxed as most of the basic tools are taken away from them. Although after this point they kinda drop the ball. Once you go into safe mode and look at the start up tasks the offending processes have been random collections of letters. Seems odd that they don't name themselves "Microsoft Security Panel" or something else like that.