Forgot your password?
typodupeerror
Microsoft Security Firefox Google Internet Explorer Software The Internet News

New Malware Imitates Browser Warning Pages 143

Posted by Soulskill
from the good-thing-nobody-ever-mindlessly-clicks-through-those dept.
Jake writes with this excerpt from Ars: "Microsoft is warning about a new piece of malware, Rogue:MSIL/Zeven, that auto-detects a user's browser and then imitates the relevant malware warning pages from Internet Explorer, Firefox, or Chrome. The fake warning pages are very similar to the real thing; you have to look closely to realize they aren't the real thing. The ploy is a basic social engineering scheme, but in this case the malware authors are relying on the user's trust in their browser, a tactic that hasn't been seen before. Beyond the warning pages, the actual malware looks like the real deal: it allows you to scan files, tells you when you're behind on your updates, and enables you to change your security and privacy settings. Performing a scan results in the product finding malicious files, but of course it cannot delete them unless you update, which requires paying for the full version. Attempting to buy the product will open an HTML window that provides a useless 'Safe Browsing Mode' with high-strength encryption. To top it all off, the rogue antivirus webpage looks awfully similar to the Microsoft Security Essentials webpage; even the awards received by MSE and a link to the Microsoft Malware Protection Center have been copied."
This discussion has been archived. No new comments can be posted.

New Malware Imitates Browser Warning Pages

Comments Filter:
  • Not new... (Score:3, Informative)

    by Darkness404 (1287218) on Friday September 03, 2010 @12:55PM (#33466308)
    Imitating warning pages or other elements of the UI is not a new tactic. Back in the 90s and 2000s there were lots of "You are the 223423424th person to view this page" banners that were deliberately trying to imitate Windows 9X or XP.
    • by jornak (1377831)

      This is also old news in regards to the actual topic. Malware has been imitating error pages and injecting code into pages (like "Google detects you're infected, use software to fix!" on Google") for the longest time..

      • by Anonymous Coward on Friday September 03, 2010 @02:03PM (#33467194)

        How could you even think of browsing the internet without Internet Explorer 8 on Microsoft Windows 7? Do you realize that using knock-off "operating systems" and programs like Foxfire and Chrum and Oprah is intellectual property theft? Why do you think you fools are getting viruses? It's not cool. You're not slick and getting one over on "the man". It's fucking bullshit. Microsoft Internet Explorer 8 was designed and engineered to exacting standards to mesh flawlessly with the intricate security in Microsoft Windows 7. Your knock-off crap is not. Why do you freetards insist on removing your noses to spite your faces? Do you just tire of smelling your own bullshit? Microsoft Windows 7 and Microsoft Internet Explorer 8 are superior to this freetard shit in every possible way. Microsoft have invested billions of dollars in blood sweat and tears to deliver an exceptionally secure system and you people just take it for granted. What would you do if Microsoft were driven out of business because you thought you could steal from them and use Lumix and frebsd? You people disgust me with your Lunix and Crabble puke. Do you think you're special? Guess what... You're not! You can't think you can honestly get away with continually stealing the fruits of the billions of dollars Microsoft Research has invested in producing the intellectual property that you dorks so cavalierly pilfer to inject into your Gnom and KED and Quark shit. You all disgust me. You people need to look into the mirror and reevaluate your lives.

        • by paiute (550198) on Friday September 03, 2010 @02:12PM (#33467342)

          How could you even think of browsing the internet without Internet Explorer 8 on Microsoft Windows 7?

          2/10: for using it's and your correctly.

        • Re: (Score:3, Insightful)

          I need to look in a mirror and re-evaluate my life....

          Actually, it's a very, very good troll that brings up some interesting points, so I'll bite.

          The thrust of your argument is that older and/or non-company vended net software is dangerous when it comes to picking up viruses. There's an element of truth in that, a regularly patched system, be it *nix based or Windows is generally a good idea. This is, however, a different thing to having every possible update just for the sake of it. If I installe
          • by arth1 (260657)

            Sure, the modern internet is very snazzy and all, but being able to "install and run our video codec" is asking for trouble if you just want to look at naughty ladies.

            Ah, but many aren't satisfied with that -- they want the ladies to move too, which requires a codec.

            Less is often more.

            But far from always. Less clothes (to continue using the naughty ladies example) isn't more in -40 degree weather, trust me. No more than needed for the purpose is a better rule of thumb. If your need is to play HDMI video

          • by fractoid (1076465)

            The thrust of your argument is that older and/or non-company vended net software is dangerous when it comes to picking up viruses.

            It is? I thought it was that Linux (and free software in general) was claimed to be a rip-off of commercial software developments' IP. Which, while definitely not true in the broadest sense, you could make a case for. A lot of free software intentionally duplicates functionality found in popular commercial software as a way to get around paying for said commercial software. The problem is that the initial design of software is far harder to get right than the implementation, and I can easily see how a comme

        • by armanox (826486)
          Let me ask you this Mr. Coward - can you show me what the free world has stolen from Microsoft?
        • I looked into the mirror. "How are you today, Mirrorimage?" "Oh, fine, except I get tired of hearing the Microsoft shills calling me thief, and worse." "Oh, don't worry about the shills. Do you realize what crummy lives they lead? Think about it." "Oh, wow - sucks to be so pathetic that you have to praise the unpraiseworthy. Suck even more to praise those unpraiseworthies who will never even notice or appreciate your pathetic noises." "Yep, you got it. I would rather BE a thief, than to be a shill.
        • by Xtifr (1323)

          removing your noses to spite your faces

          I think that's supposed to be "removing your noses despite your faces". (Although I personally prefer "to spit in your faces".) :)

      • by hairyfeet (841228)

        Yep, looks to be just another spin on the Security Tool malware that has been going around for a couple of years now. I remove that crap at least twice a week at my shop. I've seen versions of it that looked like AdAware, like AVG, and like Norton. Of course the easiest to spot was the fake Norton, since it didn't slow the machine to a crawl and they actually wanted less money than Symantec charges, LOL!

        Seriously though ever since SP3 the OS has been less and less of an attack vector. More and more I'm s

        • by mlts (1038732) *

          What I see as an attack vector are third party add-ons. You can have a secure browser, but if an add-on gets compromised, it is all for naught.

          What it really will take is hooks to OS level protection for the Web browser. Microsoft got something right with the low security mode of IE7/IE8 in Vista/W7, but it would be good to be able to isolate add-ons completely from each other on the OS basis so they don't even share the same memory space as the browser, and absolutely no filesystem space, unless the user

    • by ackthpt (218170) on Friday September 03, 2010 @01:32PM (#33466746) Homepage Journal

      The biggest security hole is Microsoft's version of the javascript interpreter. They should collaborate with Google and adopt the rewrite for Chrome, it would solve half the problems right there.

      BTW, I found a virius in yor post - clikc this link to free triel of PostScan 2010!

      • by tepples (727027) <tepples AT gmail DOT com> on Friday September 03, 2010 @01:41PM (#33466864) Homepage Journal

        The biggest security hole is Microsoft's version of the javascript interpreter.

        IE 9 will not use Windows Script Host's JavaScript interpreter. I predict that this change will make it easier for Microsoft to maintain the integrity of the sandbox.

        • by sconeu (64226)

          But then how can they claim that IE is an "integrated part of the OS" and not removable?

          • But then how can they claim that IE is an "integrated part of the OS" and not removable?

            By continuing to use MSHTML for the help system. "Internet Explorer" itself is an insignificant piece of code, acting as a wrapper around an MSHTML browser control.

    • Re: (Score:2, Interesting)

      by _133MHz (1556101)
      Another way to make these really obvious is to use your operating system with any language other than English. Malware writers don't bother with localization, so their fake error messages always display in English regardless of your actual OS language. Even the USB autorun viruses are dead easy to spot, you know something's fishy when there's a lonely English menu option in the Autorun dialog, usually "Open folder to view files" while the rest aren't.

      Amazingly, most people still click on the damned things.
    • Re: (Score:3, Insightful)

      by camperslo (704715)

      Imitating warning pages or other elements of the UI is not a new tactic.

      Perhaps browsers could be developed to use some feature that 3rd party pages couldn't easily duplicate? It might not be practical to use colors/effects etc not supported by standard browser features, but maybe a browser could be designed to display some preset USER SPECIFIC DATA or graphic that javascript and other net-driven browser code does NOT have access to?

      • by AmiMoJo (196126)

        My bank has a user-selected image when logging in, just to prove that it is the real site. Unfortunately you can only select from a limited number of images (can't upload your own) but it does let you set two secret words that are displayed along with it.

    • by treeves (963993)

      Didn't say it was a new technique or tactic, just a new piece of malware.
      Would you prefer they don't say it was new in the headline (makes it rather awkward: "Malware imitates warning pages"), don't report it at all, or what?

  • Themes (Score:5, Insightful)

    by characterZer0 (138196) on Friday September 03, 2010 @12:57PM (#33466342)

    All the more reason to theme your window manager - it makes this stuff obvious.

    • It's actually kind of hilarious sometimes to see windows-style fake error messages when browsing in Opera on FreeBSD.
      • by Smivs (1197859)

        It's actually kind of hilarious sometimes to see windows-style fake error messages when browsing in Opera on FreeBSD.

        Yeah, love 'em. Opera/Ubuntu

      • by daedae (1089329)
        I saw one that replaced your HOSTS file to prevent you from going to symantec, kapersky, etc., and show a host not found error instead. Sadly, it wasn't clever enough to check your browser first, so it displayed the IE error page in Firefox.
        • WTF is that, privilege unescalling? If you can already replace the HOSTS file, why would you change a page to get the user clicking on something?

          • by fractoid (1076465)

            WTF is that, privilege unescalling? If you can already replace the HOSTS file, why would you change a page to get the user clicking on something?

            Because you don't want them downloading and running a cleanup tool that would remove you from their system.

            A few recent viruses/adbots/spambots/systemfuckers will do this. They'll do a few different tricks (patching I.E., changing hosts file, sabotaging downloads) to try and stop you from getting to any antivirus or recovery sites. It makes it virtually impossible to recover your system without a system cleanup live CD, which basically guarantees that your average non-technical user won't be able to fix t

      • by Rick17JJ (744063)
        I once encountered a fake "Microsoft Warning" message on my Linux computer. That was probably about 5 years ago. The "Microsoft Warning" said that spyware had been detected on my computer. The pop-up recommended purchasing a specific anti-virus product to fix the problem. Seeing the Microsoft pop-up was funny, since I did not have any Microsoft products at all installed on my computer.

        On two occasions since then, I have also been diverted to websites that claimed to have detected spyware and viruses on my
        • by natehoy (1608657)

          My understanding is also that there has not yet been any problem with Linux viruses circulating in the wild.

          Not as much, but that doesn't make it impossible. Most Linux distro managers maintain ClamAV in their repositories. You might want to consider installing it.

        • by Nadaka (224565)

          There are have been a few over the years, just like for macs. Contrast that with 10s of thousands for windows.

    • Re:Themes (Score:5, Funny)

      by qoncept (599709) on Friday September 03, 2010 @01:16PM (#33466564) Homepage
      So now we're up to, what, 1 legitimate reasons?
    • by anorlunda (311253)

      Uh thank you very much.

      Practical and immediately useful advice from a Slashdot comment. What will they think of next?

    • I thought it was weird of Mozilla to push the personas idea since it seems tacky. But it's true that the window frame represents the security context for an application like a web browser, and a uniform customization of the frame would make the browser more secure against window imitation threats.

    • Re:Themes (Score:4, Interesting)

      by bheer (633842) <rbheer AT gmail DOT com> on Friday September 03, 2010 @04:34PM (#33469548)

      I don't understand; how does theming your window manager help against this? [microsoft.com] I'm assuming the malware bit is *inside* the Google Chrome window, so even if you themed your windows with say a Pikachu theme, the *insides* of the Chrome window would still contain the rogue site, imitating Chrome's red and white-colored malware block UI.

      The only way out of this is if crucial error pages are protected with some sort of "sign-in seal", like Yahoo uses for its login screens.

       

      • I don't understand; how does theming your window manager help against this?

        Theming probably doesn't, but assuming Google checks its dialogs for proper grammar probably does.

      • by couchslug (175151)

        "I don't understand; how does theming your window manager help against this? "

        It doesn't.

        If Windows users cared about avoiding these things, they'd browse using a virtual browser appliance, or browse using a second OS in a VM.

        Portable VirtualBox allows fun things like .rar'ing a backup copy of a complete VM plus the software to run it, so if your VM is compromised you can simply delete it and extract a fresh copy.

        http://www.dedoimedo.com/computers/portable-virtualbox.html [dedoimedo.com]

    • Not even that, just changing the color from the standard theme color is often enough. I don't know how many times I've seen Fisher Price blue "virus" warnings come up when my Windows theme color was silver.
    • by Ichijo (607641)

      All the more reason to theme your window manager - it makes this stuff obvious.

      Unless, of course, the malware reads your theme configuration file.

  • Why is this new? (Score:4, Insightful)

    by HockeyPuck (141947) on Friday September 03, 2010 @01:00PM (#33466388)

    There's plenty of rogue/fake AntiVirus programs [wikipedia.org] out there. Is the new part that they imitate your browser rather than looking like a real anti virus program?

    • by nigelo (30096)

      Well, let's see now; from RTFS:

      "auto-detects a user's browser and then imitates the relevant malware warning pages from Internet Explorer, Firefox, or Chrome...relying on the user's trust in their browser, a tactic that hasn't been seen before".

      So, mebbe?

  • Possible solution (Score:4, Interesting)

    by OnePumpChump (1560417) on Friday September 03, 2010 @01:03PM (#33466412)
    The first time the browser is used, create a security image like bank websites use. Store that image or the word used to generate it someplace where the malware will presumably not be able to access it.
    • It already looks different than the genuine protection page (where it says to download and "upgrade") and so for the technically savvy people that should be an obvious red flag, for everyone else, they wouldn't know the difference with or without a security image.
      • by jeffmeden (135043)

        "Proven antivirus protection fin one click!"

        Whether it's shark fin, mahi fin, or tuna fin is user-selectable...

        • by Nadaka (224565)

          "Proven antivirus protection fin one click!"

          Whether it's shark fin, mahi fin, or tuna fin is user-selectable...

          They are french mal-ware writers.

          What they really mean is "Proven antivirus protection ends in one click!"

    • by Thaelon (250687)

      There's a study out there [computerworld.com] that has proven that those security images don't work.

  • The new part of this (Score:5, Informative)

    by querist (97166) on Friday September 03, 2010 @01:05PM (#33466430) Homepage
    One part is old - imitating the web browser error page, specifically the IE error page. I've had many a chuckle when running Galleon or some other Linux browser and seeing it pop up a well-imitated IE error page. The new part on this one is that they're checking which browser it is and making sure the error page matches the browser.
  • Is this just an advance posting of a presentation at MalCon [slashdot.org]?

    These guys really need a conference to hone their skills, and take advantage of everyone who doesn't read /. daily (because those of us who do read /. daily are too smart to be conned by these losers). Right?

    • by NevarMore (248971)

      (because those of us who do read /. daily are too smart to be conned by these losers). Right?

      I see that you are new here.

  • Bit of Advice (Score:3, Insightful)

    by kid_wonder (21480) <`public' `at' `kscottklein.com'> on Friday September 03, 2010 @01:08PM (#33466468) Homepage

    You spend all this time writing this creative software (malware)...

    Try fracking finding someone who can proofread your english; it's abysmal and frankly embarrassing. I realize it is not your native language but this lack of attention to detail is exactly the reason you find yourself writing malware in the first place ... oh and why the only people you manage to trick into this are on the bottom side of the intelligence bell curve.

    • by click2005 (921437) *

      I would say let those idiots get scammed if they're stupid enough to fall for this sort of obvious fake.
      Unfortunately it'll only get worse until some politicians get paid to propose a bill that will
      require IPSs to filter bad traffic to protect Joe Public. ISPs will of course use that as an excuse to
      get around any net neutrality rules that get proposed. Eventually all traffic not pre-approved will get
      filtered/blocked/downgraded.

    • by Beerdood (1451859)
      Lol at the firefox warning button here [microsoft.com]

      "Get me our of here and upgrade"

      So what, you're getting me one more 'our of browsing on this site before I have to upgrade? Allright, I'll upgrade in an hour.
    • Re: (Score:2, Insightful)

      "oh and why the only people you manage to trick into this are on the bottom side of the intelligence bell curve."

      So... 99% of the people that own computers?

    • Re: (Score:2, Interesting)

      by RJHelms (1554807)

      I was going to post exactly this. The sample Google Chrome image in the article is immediately obvious as a fake because real Chrome warning pages have proper subject-verb agreement and don't have character encoding images. I imagine Firefox warning pages don't have the two buttons overlapping.

      I'm really forced to wonder this about a lot of malware and phishing scams - I somewhat frequently get e-mails telling me I won an "iPhone-4G" on "Facebooks", how hard it is to get those right?

      At the same time, I thin

      • by EvilIdler (21087)

        When people who actually sell the damn phones can't get it right (one major phone company sells "iPhone 4GS" here), I think most people aren't even sure how to spell most products they own. I've seen Toyota-owners misspell the brand of their car in creative ways too. Don't expect too much.

    • Re: (Score:3, Insightful)

      by flimflammer (956759)

      oh and why the only people you manage to trick into this are on the bottom side of the intelligence bell curve.

      I disagree with this line entirely.

      Sure, those of us at Slashdot may realize the obvious attempts at breaching our computers safety, but not everyone realizes they need to distrust and scrutinize every little thing they come across, especially when it looks like a very legitimate message from the browser itself (English errors notwithstanding). Even still, that doesn't make the completely stupid, just naive.

      • by idontgno (624372)

        not everyone realizes they need to distrust and scrutinize every little thing they come across, especially when it looks like a very legitimate message from the browser itself (English errors notwithstanding).

        Experience keeps a dear school, but fools will learn in no other.
        -- Ben Franklin

      • by arth1 (260657)

        Naivety is a special branch of stupidity.
        If you default to trusting, you are stupid, but far from alone. There's one born every minute.

    • oh and why the only people you manage to trick into this are on the bottom side of the intelligence bell curve.

      Why would they want to compromise your computer? You're smart enough to notice and take action, it'll be out of their botnet in hours. That's just more accounting and command-and-control overhead for little benefit.

  • by ackthpt (218170) on Friday September 03, 2010 @01:21PM (#33466618) Homepage Journal

    Firefox will have it fixed within hours.
    Chrome will have it fixed within days.
    Microsoft will issue a patch with in months.

  • by Junior J. Junior III (192702) on Friday September 03, 2010 @01:22PM (#33466624) Homepage

    The .gif image of a shield SAID SO!

    • by jeffmeden (135043)

      This part never fails to amuse me. An arbitrary image that happens to say "it's safe because I said so, and look; I even know what day it is today!" makes me feel GREAT about the web site. It needs to say "go find the lock icon in your browser. does it look locked? good. on your way."

  • Bastards, I use Elinks. Couldn't they at least humor me and do background=#00000000 and set the font to courier 10 in neon green?

  • Malware? (Score:2, Funny)

    by dandart (1274360)
    Is there a Linux port? I'd love some malware. I miss having people trying to install software on my computer without permission! Maybe I should go get a Mac.
    • by Yvan256 (722131)

      What's funny is all those fake warning boxes trying to trick me.

      "Windows XP has detected a problem!" ...really? I thought my Mac mini was running Snow Leopard!? I guess I was wrong!

  • by ideonexus (1257332) * on Friday September 03, 2010 @02:15PM (#33467392) Homepage Journal
    What offends me most about these malware tactics is that I'm savvy enough to recognize the spoof, but the low income kids and old people in my neighborhood aren't. I know not to click on anything that pops up in my browser when I'm surfing, but every week I get people on my porch needing help cleaning out their infected systems, which I do and they get infected again within a week. How can these malware authors take pride in preventing little kids and old people access to the Internet or their software? Where's the sport? What pathetic losers.
    • Malware authors are not the first dishonest people to make money off of children and old people. I doubt they care if you think they are "pathetic losers". I doubt they take pride in what they do. I doubt they're doing it for sport. They just want some money.
    • by hairyfeet (841228)

      Want to be able to fix it once and be done? And not cost you a penny? Allow your old pal Hairyfeet tell you how brother. Just install Comodo AV [comodo.com] and follow it up with Comodo Time Machine [comodo.com].

      Comodo AV has a built in sandbox and its default action is to sandbox everything you don't explicitly tell it not to, that way it shuts down even zero days that it doesn't have a signature to (but I've found its heuristics catches those anyway, but it never hurts to have extra protection) and you follow that up with Comodo

    • by iopha (626985)
      Wikipedia tells me that some of the people pushing this "rogue software" that masquerades as legitimate security product clear hundreds of thousands of dollars per month. These aren't the hackers of yore, hunting for vulnerabilities as a kind of intellectual exercise, or just looking to crow about their exploits on IRC. There's money to be made, not like twenty years ago, when you'd get the Stoned virus from a dial-up BBS download of an ANSI art editor and kind of think it was neat.
    • Re: (Score:3, Informative)

      by WillDraven (760005)

      The fucked up thing about the whole thing is most of these malware writers are kids and/or people with kids in shitty environments. They do work like this because Bob down the street bought a new bike with the money he made selling spam bots, and my kids are fucking starving, so fuck those rich people I'm infecting their computers to send spam to pay my bills.

      You want to get rid of spam and malware?

      Fix the global economy so nobody is poor.

  • What about us? (Score:3, Insightful)

    by Yvan256 (722131) on Friday September 03, 2010 @02:23PM (#33467532) Homepage Journal

    ...auto-detects a user's browser and then imitates the relevant malware warning pages from Internet Explorer, Firefox, or Chrome.

    What about Safari and Opera users?

    • by RJHelms (1554807)
      Real Safari users use Chrome.
  • Seen it (Score:2, Interesting)

    by ReederDa (1874738)
    I've actually seen this malware in action. If you're infected and it decides to start running, there's not really much you can do. Disables the task manager as well. Library computers are most at risk.
    • Re: (Score:2, Informative)

      Not only does it disable the task manager, this (or a variant of it) disables Control Panel and ways to get to useful parts of the control panel without going through it (like running msconfig.exe directly). They also change your proxy settings on your web browsers so that you can't go online to attempt to trouble shoot the problem. At this point even an above-average computer user can be flummoxed as most of the basic tools are taken away from them. Although after this point they kinda drop the ball. Once
    • by cbhacking (979169)

      Disabling task manager means nothing.

      %windir%\system32\perfmon.exe /res - resource monitor. All the information you can get from Taskmgr, and a whole lot more. For bonus point,s it allows you to suspend (without killing) processes. There's a lot of malware that won't auto-resume a suspended process but will auto-restart a killed one.

      tasklist/taskkill - ps and kill for Windows. Not as powerful as either, but perfectly valid tools for killing problematic processes.

      Powershell (included with recent Windows vers

  • Looking at these new screenshots, they STILL have fucking grammar issues. If I'm going to fall for something, it's not going to be an error page with spelling errors and unnecessary exclamation points. How hard would it be for these fuckers to find a native English speaker to proofread their shit for them? Jeez.
  • God I love lynx. Can't infect my shit.

    Of course, i have to borrow my neighbors computer to post here, lynx don't do web 2.0.

    But I'm sure there's be a lynxweb2.0 fork anytime now...

  • The solution to this problem is to teach users to think for themselves, and to understand what's being asked of them. You sure as hell wouldn't trust a brand new doctor if he put you in for major surgery/medications after simply taking your weight ("Ooh, you're heavy, let's put a staple in your stomach"), why would you trust some inane browser message to do the same to your computer?

    Any user must know what their level of aptitude is, know their limitations, and think for themselves (which is not the same as

Prototype designs always work. -- Don Vonada

Working...