Fake Browser Update Websites Serve Malicious Trojans

According to GFI Software, phony websites offering "browser upgrades" are presently getting utilized for serving malicious software and diverting end-users onto survey sites, so reports Help Net Security on January 30, 2012.

Recently, the company's researchers spotted one website, which particularly dupes Firefox users in a way that they willingly download a so-called upgrade of their Web-browser. Also, according to them, the notification consists of the logo used to indicate the Firefox browser from Mozilla as also the known website, falsely scanning the end-user's computer, displays web-pages similar as fake anti-virus sites.

However, thee web-pages, belonging to aveonix(dot)org, vkernel(dot)org, stocknick(dot)org or smolvell(dot)org, can't determine the browser a site visitor uses, while present a bogus update alert related to Chrome/Firefox.

Moreover, these web-pages encourage the user for pulling down an executable file that GFI Software identified as Trojan.Win32.Generic!BT. When this Trojan is installed, fresh tabs or windows pop up within the browser, which take the user onto various survey sites.

Meanwhile, an end-user who runs the executable file lets the download as also planting of software named Driver that opens certain 'Driver' folder where it includes 2 files -app.exe and uninstall.exe. The app.exe, which the GFI investigators identified as Trojan-Spy.MSIL.Popclik.A, is actually malicious.

If run, the executable leads users onto different survey sites through newly-created tab/window in the Web-browser. And soon as these sites load, app.exe links up with different websites for pulling down and deploying random software, including legitimate software, GFI notes.

Indeed, during 2010, Symantec detected one same type of fake-browser update campaign, wherein Chrome and Firefox update alerts popped up perforce through a dialog window. If downloaded, the .exe file appeared similar to a Security Tool which really was rogue AV software exhibiting inflated pop-ups.

Praveen Vashishtha, researcher at Symantec wrote that incase savvier Web-surfers didn't download the misguiding .exe file, in that situation, the websites through several redirects landed them on a malevolent site, which hosted the notorious Phoenix attack toolkit. Whichbrowser.org published this on January 29, 2012.

And while suggested to remain cautious with the above kinds of web-pages/sites, users are urged for updating their Web-browsers through the update mechanism available by default.

Related article: Fake Spam Mail Announces Australian PM’s Heart Attack

» SPAMfighter News - 2/6/2012