Fake Adobe Flash Player Monitors Your Google Searches

Discussion in 'malware problems & news' started by Magnus Mischel, Aug 25, 2009.

Thread Status:
Not open for further replies.
  1. Magnus Mischel

    Magnus Mischel Security Expert

    Joined:
    Oct 24, 2002
    Posts:
    185
    Here's some information on a new piece of malware we found today that monitors your surfing in both Firefox and Internet Explorer and submits information on the sites you visit to a malicious server:


    Fake Adobe Flash Player Monitors Your Google Searches


    The malware, which is known to TrojanHunter as TrojanClicker.VB.395, basically hooks into both IE and FF (into the latter via a custom Firefox extension) and monitors what you search for and what sites you visit. It's currently being spread via malicious JavaScript code inserted into forum posts. The blog post shows you how you can detect if you have this malware on your system.
     
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Thanks Magnus for the information!

    You write in your blog:

    Brian Krebs, in a recent Washington Post article, reiterated one of his rules:

    "If you didn't go looking for it, don't install it."
    I'm emphasizing this with people I know: learn how your various applications update,
    and do so only from the vendor's web site.

    regards,

    -rich
     
  3. Magnus Mischel

    Magnus Mischel Security Expert

    Joined:
    Oct 24, 2002
    Posts:
    185
    Thanks Rich, good advice there. I managed to get a screenshot of what the malicious pop-up looks like, so I have updated the blog post with that.
     
  4. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Magnus Mischel

    Nice catch !

    Rmus

    Re "If you didn't go looking for it, don't install it."

    Very good advice, but when it's something like this, a fake Flash update, a lot of people will presume it's FF just doing it's thing. Which is, it automatically looks for new updates to any Plugins etc every day, and if there are it will install them.

    So i imagine many, even some savvy people, could/will get caught out by something like this innocently believing it's genuine.

    I expect to see more of these types of exploits from now onwards, as it WILL fool plenty i'm sure.
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I don't know how FF works, but I would not let it do anything like that automatically for major applications.

    I advise people to go to the vendor's site for each application they use and see how the vendor notifies of updates/patches.

    Some have security sites, such as Adobe:

    Security bulletins and advisories
    http://www.adobe.com/support/security/
    I believe that people should take responsibility for maintaining their applications, especially the ones prone to being exploited.

    It's not difficult to teach someone to do this -- it requires no technical expertise on their part. In this way, they don't get fooled into installing an update, since they know the proper procedure to take do this.

    ----
    rich
     
  6. 1boss1

    1boss1 Registered Member

    Joined:
    Jun 26, 2009
    Posts:
    401
    Location:
    Australia
    What's got me stumped is "The installer for this seems to be spread via forum posts".

    Virtually every forum package out there won't accept Javascript in posts, it will render it as plain text for instance:

    <script type="text/javascript">
    document.write("Hello i am Malware");
    </script>

    It must be like normal drive-bye exploits where the server/ftp/admin login is compromised and it's injected in to the actual page. If this is the case, any site is capable of containing the exploit not just forums.

    Interesting though.
     
  7. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    If you're using Firefox with NoScript
    are you protected from the embeded malware?
     
  8. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,122
    Location:
    Pennsylvania.
    I'm sure Noscript should help since it blocks Java and scripts.
     
Loading...
Thread Status:
Not open for further replies.