Tuesday, May 3, 2011
Firefox Fake AV Alerts - Malware Trigger
Malware writers are opting aggressive techniques to infect users with malicious programs. Browsers are always been the prime exploitation paradigm. What else could be better than Anti Virus Alerts in browsers? Recent trend encompasses manipulation of Firefox(supporting other browsers too) in order to trigger malicious AV alerts there by forcing user to download malicious executable. For security researchers, detecting these alerts are not that hard task. However, normal users find themselves in havoc from the fear of being infected when they face these malicious alerts. Infact, this process exploits the ignorance or one can say fear of users by social engineering tricks. In order to remove malware from system (fake alert notifications) users intentionally install malicious program on their machines.
Generally, these alerts are not browser specific rather browser independent. It is also possible that these alerts trigger only when User Agent Based Fingerprinting (USBF) is done . There are many scenarios. The below presented snapshot shows how Firefox is manipulated
On successful scans, it alerts lot of security issues for the presence of trojans, backdoors and rootkits etc. Despite of the hilarious fact that, your system level AV engine stays calm. Well, visualization of threats have its own implication. On completion of scans, these alerts force users to install following file (specific for domain we are analyzing)
Further, Mozilla inbuilt bad site reporting service works collectively with stopbadware.org. Firefox uses redirection to redirect user to the legitimate domain (stopbadware.org) on ignoring the warning. That is something we all know.
User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:126.96.36.199) Gecko/20110420 Firefox/3.6.17 ( .NET CLR 3.5.30729; .NET4.0C)
(Status-Line) HTTP/1.1 302 Found
Date Tue, 03 May 2011 22:28:08 GMT
Keep-Alive timeout=20, max=996
Content-Type text/html; charset=iso-8859-1
This discussion clearly indicates the fact that how badly browsers are getting manipulated. Consequentially, browsers are always at stake so do users despite of our protection efforts.