Tuesday, May 3, 2011

Firefox Fake AV Alerts - Malware Trigger


Malware writers are opting aggressive techniques to infect users with malicious programs. Browsers are always been the prime exploitation paradigm. What else could be better than Anti Virus Alerts in browsers? Recent trend encompasses manipulation of Firefox(supporting other browsers too) in order to trigger malicious AV alerts there by forcing user to download malicious executable. For security researchers, detecting these alerts are not that hard task. However, normal users find themselves in havoc from the fear of being infected when they face these malicious alerts. Infact, this process exploits the ignorance or one can say fear of users by social engineering tricks. In order to remove malware from system (fake alert notifications) users intentionally install malicious program on their machines.

Generally, these alerts are not browser specific rather browser independent. It is also possible that these alerts trigger only when User Agent Based Fingerprinting (USBF) is done . There are many scenarios. The below presented snapshot shows how Firefox is manipulated



On successful scans, it alerts lot of security issues for the presence of trojans, backdoors and rootkits etc. Despite of the hilarious fact that, your system level AV engine stays calm. Well, visualization of threats have its own implication. On completion of scans, these alerts force users to install following file (specific for domain we are analyzing)


Further, Mozilla inbuilt bad site reporting service works collectively with stopbadware.org. Firefox uses redirection to redirect user to the legitimate domain (stopbadware.org) on ignoring the warning. That is something we all know.

[REQUEST]
GET /?hl=en-US&url=http%3A%2F%2Fupdate82.sashrod.ce.ms%2Findex.php%3FQ1Xhk9SJbYJGPXpjM%2
FtL5is7E974ZjcioT7yKQchpNjVUC%2B1hEwpaVGuq1zgdVqksMShxC9dHBs
2rpwYqQjCVkTeZbDJDe1pKU0ChURY HTTP/1.1
Host en-us.malware-error.mozilla.com
User-Agent Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.17) Gecko/20110420 Firefox/3.6.17 ( .NET CLR 3.5.30729; .NET4.0C)
Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language en-us,en;q=0.5
Accept-Encoding gzip,deflate
Accept-Charset ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive 115
DNT 1
Connection keep-alive


[RESPONSE]

(Status-Line) HTTP/1.1 302 Found
Date Tue, 03 May 2011 22:28:08 GMT
Server Apache
X-Backend-Server pm-web02
Location http://www.stopbadware.org/firefox?hl=en-US&
url=http%3A%2%2Fupdate82.sashrod.ce.ms%2Findex.php%3FQ1Xhk9SJbYJGP
XpjM%2FtL5is7E974ZjcioT7yKQchpNjVUC%2B1hEwpaVGuq1zgdVqksMS
hxC9dHBs2rpwYqQjCVkTeZbDJDe1pKU0ChURY
Content-Length 394
Keep-Alive timeout=20, max=996
Connection Keep-Alive
Content-Type text/html; charset=iso-8859-1

This discussion clearly indicates the fact that how badly browsers are getting manipulated. Consequentially, browsers are always at stake so do users despite of our protection efforts.