New Malware Imitates Browser Warning Pages

Jake writes with this excerpt from Ars: "Microsoft is warning about a new piece of malware, Rogue:MSIL/Zeven, that auto-detects a user's browser and then imitates the relevant malware warning pages from Internet Explorer, Firefox, or Chrome. The fake warning pages are very similar to the real thing; you have to look closely to realize they aren't the real thing. The ploy is a basic social engineering scheme, but in this case the malware authors are relying on the user's trust in their browser, a tactic that hasn't been seen before. Beyond the warning pages, the actual malware looks like the real deal: it allows you to scan files, tells you when you're behind on your updates, and enables you to change your security and privacy settings. Performing a scan results in the product finding malicious files, but of course it cannot delete them unless you update, which requires paying for the full version. Attempting to buy the product will open an HTML window that provides a useless 'Safe Browsing Mode' with high-strength encryption. To top it all off, the rogue antivirus webpage looks awfully similar to the Microsoft Security Essentials webpage; even the awards received by MSE and a link to the Microsoft Malware Protection Center have been copied."

Not new...

[Darkness404]

Imitating warning pages or other elements of the UI is not a new tactic. Back in the 90s and 2000s there were lots of "You are the 223423424th person to view this page" banners that were deliberately trying to imitate Windows 9X or XP.

The new part of this

[querist]

One part is old - imitating the web browser error page, specifically the IE error page. I've had many a chuckle when running Galleon or some other Linux browser and seeing it pop up a well-imitated IE error page. The new part on this one is that they're checking which browser it is and making sure the error page matches the browser.

Re:Seen it

[WildBlueYonder]

Not only does it disable the task manager, this (or a variant of it) disables Control Panel and ways to get to useful parts of the control panel without going through it (like running msconfig.exe directly). They also change your proxy settings on your web browsers so that you can't go online to attempt to trouble shoot the problem. At this point even an above-average computer user can be flummoxed as most of the basic tools are taken away from them. Although after this point they kinda drop the ball. Once you go into safe mode and look at the start up tasks the offending processes have been random collections of letters. Seems odd that they don't name themselves "Microsoft Security Panel" or something else like that.

Re:Just Hurting Kids and Old People

[WillDraven]

The fucked up thing about the whole thing is most of these malware writers are kids and/or people with kids in shitty environments. They do work like this because Bob down the street bought a new bike with the money he made selling spam bots, and my kids are fucking starving, so fuck those rich people I'm infecting their computers to send spam to pay my bills.

You want to get rid of spam and malware?

Fix the global economy so nobody is poor.