New Malware Imitates Browser Warning Pages

Jake writes with this excerpt from Ars: "Microsoft is warning about a new piece of malware, Rogue:MSIL/Zeven, that auto-detects a user's browser and then imitates the relevant malware warning pages from Internet Explorer, Firefox, or Chrome. The fake warning pages are very similar to the real thing; you have to look closely to realize they aren't the real thing. The ploy is a basic social engineering scheme, but in this case the malware authors are relying on the user's trust in their browser, a tactic that hasn't been seen before. Beyond the warning pages, the actual malware looks like the real deal: it allows you to scan files, tells you when you're behind on your updates, and enables you to change your security and privacy settings. Performing a scan results in the product finding malicious files, but of course it cannot delete them unless you update, which requires paying for the full version. Attempting to buy the product will open an HTML window that provides a useless 'Safe Browsing Mode' with high-strength encryption. To top it all off, the rogue antivirus webpage looks awfully similar to the Microsoft Security Essentials webpage; even the awards received by MSE and a link to the Microsoft Malware Protection Center have been copied."

Possible solution

[OnePumpChump]

The first time the browser is used, create a security image like bank websites use. Store that image or the word used to generate it someplace where the malware will presumably not be able to access it.

Security Fix Schedule

[ackthpt]

Firefox will have it fixed within hours.
Chrome will have it fixed within days.
Microsoft will issue a patch with in months.

Re:Bit of Advice

[RJHelms]

I was going to post exactly this. The sample Google Chrome image in the article is immediately obvious as a fake because real Chrome warning pages have proper subject-verb agreement and don't have character encoding images. I imagine Firefox warning pages don't have the two buttons overlapping.

I'm really forced to wonder this about a lot of malware and phishing scams - I somewhat frequently get e-mails telling me I won an "iPhone-4G" on "Facebooks", how hard it is to get those right?

At the same time, I think you hit on exactly why they don't bother with this. The bottom side of the intelligence bell curve is still half of the people who will see the page, and they are the same people who are more likely to fall for it even when there are no errors with the English. I imagine it simply doesn't pay to shell out any amount of money for proofreading.

IE 9 won't share WSH's JS interpreter

[tepples]

The biggest security hole is Microsoft's version of the javascript interpreter.

IE 9 will not use Windows Script Host's JavaScript interpreter. I predict that this change will make it easier for Microsoft to maintain the integrity of the sandbox.

Re:Not new...

[_133MHz]

Another way to make these really obvious is to use your operating system with any language other than English. Malware writers don't bother with localization, so their fake error messages always display in English regardless of your actual OS language. Even the USB autorun viruses are dead easy to spot, you know something's fishy when there's a lonely English menu option in the Autorun dialog, usually "Open folder to view files" while the rest aren't.

Amazingly, most people still click on the damned things.

Just Hurting Kids and Old People

[ideonexus]

What offends me most about these malware tactics is that I'm savvy enough to recognize the spoof, but the low income kids and old people in my neighborhood aren't. I know not to click on anything that pops up in my browser when I'm surfing, but every week I get people on my porch needing help cleaning out their infected systems, which I do and they get infected again within a week. How can these malware authors take pride in preventing little kids and old people access to the Internet or their software? Where's the sport? What pathetic losers.

Seen it

[ReederDa]

I've actually seen this malware in action. If you're infected and it decides to start running, there's not really much you can do. Disables the task manager as well. Library computers are most at risk.

Re:Themes

[bheer]

I don't understand; how does theming your window manager help against this? [microsoft.com] I'm assuming the malware bit is *inside* the Google Chrome window, so even if you themed your windows with say a Pikachu theme, the *insides* of the Chrome window would still contain the rogue site, imitating Chrome's red and white-colored malware block UI.

The only way out of this is if crucial error pages are protected with some sort of "sign-in seal", like Yahoo uses for its login screens.