By Katherine Noyes, PCWorldOct 20, 2010 10:20 am PDT
A new malware campaign takes advantage of the “malicious site” warnings commonly displayed by both Firefox and Chrome to trick unsuspecting users into downloading a rogue antivirus application, the security firm F-Secure reported today.
The attack happens when Web surfers visit a page offering “SecurityTool,” a known malware application that purports to be antivirus software. On both Firefox and Chrome, a fake warning page then pops up that mimics the messages those browsers normally give users who visit suspect sites.
On Firefox, the warning alert is titled, “Reported Attack Page!” while on Chrome the page reads, “Warning: Visiting this site may harm your computer!” Both such warnings invite users to “Download Updates.”
Users who click the download button then end up with a file called “ff_secure_upd.exe” on Firefox or “chrome_secure_upd.exe” on Google’s browser; either way, what they really get is the rogue antivirus file and an invitation to pay a license fee for supposed protection.
Firefox users with scripts enabled, in fact, don’t even have to click the “Download Updates” button–rather, they’ll just be prompted to click “OK” to download “Firefox secure updates.” Clicking “Cancel” only results in a repeated warning that updates need to be downloaded, F-Secure reported.
In addition to the “scareware,” a hidden iFrame that’s also part of the attack loads a Phoenix exploit kit from a different site, the security researcher noted, thereby exposing users to further exploitation.
A Fake “Just Updated”
This latest attack is very similar to one uncovered in July, through which SecurityTool used a similar technique purportedly prompting Firefox users to update their Adobe Flash Player.
In that case, the attack presented users with a fake version of the Firefox “Just Updated” page, which is typically shown when users open the browser for the first time after an update is downloaded. On the fake version, however, the message warned that Adobe Flash Player hadn’t yet been updated, and it prompted the user to download a file that is in fact the rogue antivirus software, according to F-Secure.
The new “Reported Attack Page!” alert, however, relies particularly heavily on Firefox users’ uncertainty as to what genuine warning pages look like. In fact, such pages never request that users download updates; rather, they give the option of either leaving the site or overriding the block and continuing to load the page. F-Secure’s blog post includes an authentic Firefox block page for users who want a reliable visual image.
NoScript Could Help
It’s not clear from F-Secure’s report whether the attack is specific to Windows or affects users on all platforms. I’ve contacted them about this, and will report back if I learn more.
In the meantime, users should be sure to keep their browsers and their security software updated. In this case, a free Firefox add-on like NoScript could also help prevent exploitation.