Fake Adobe Flash Player Monitors Your Google Searches

Here's some information on a new piece of malware we found today that monitors your surfing in both Firefox and Internet Explorer and submits information on the sites you visit to a malicious server:


Fake Adobe Flash Player Monitors Your Google Searches

The malware, which is known to TrojanHunter as TrojanClicker.VB.395, basically hooks into both IE and FF (into the latter via a custom Firefox extension) and monitors what you search for and what sites you visit. It's currently being spread via malicious JavaScript code inserted into forum posts. The blog post shows you how you can detect if you have this malware on your system.

 

Thanks Magnus for the information!

You write in your blog:

Brian Krebs, in a recent Washington Post article, reiterated one of his rules:

"If you didn't go looking for it, don't install it."​

I'm emphasizing this with people I know: learn how your various applications update,
and do so only from the vendor's web site.

regards,

-rich

 

Thanks Rich, good advice there. I managed to get a screenshot of what the malicious pop-up looks like, so I have updated the blog post with that.

 

Magnus Mischel

Nice catch !

Rmus

Re "If you didn't go looking for it, don't install it."

Very good advice, but when it's something like this, a fake Flash update, a lot of people will presume it's FF just doing it's thing. Which is, it automatically looks for new updates to any Plugins etc every day, and if there are it will install them.

So i imagine many, even some savvy people, could/will get caught out by something like this innocently believing it's genuine.

I expect to see more of these types of exploits from now onwards, as it WILL fool plenty i'm sure.

 

I don't know how FF works, but I would not let it do anything like that automatically for major applications.

I advise people to go to the vendor's site for each application they use and see how the vendor notifies of updates/patches.

Some have security sites, such as Adobe:

Security bulletins and advisories
http://www.adobe.com/support/security/

I believe that people should take responsibility for maintaining their applications, especially the ones prone to being exploited.

It's not difficult to teach someone to do this -- it requires no technical expertise on their part. In this way, they don't get fooled into installing an update, since they know the proper procedure to take do this.

----
rich

 

What's got me stumped is "The installer for this seems to be spread via forum posts".

Virtually every forum package out there won't accept Javascript in posts, it will render it as plain text for instance:

<script type="text/javascript">
document.write("Hello i am Malware");
</script>

It must be like normal drive-bye exploits where the server/ftp/admin login is compromised and it's injected in to the actual page. If this is the case, any site is capable of containing the exploit not just forums.

Interesting though.

 

If you're using Firefox with NoScript

are you protected from the embeded malware?

 

I'm sure Noscript should help since it blocks Java and scripts.