Malicious Ads Push Fake Browser Updates

Thinking of updating your web browsers? Just make sure that you download from legitimate sources, instead of downloading malware disguised as browser updates onto your system.

Just recently, we were alerted to a report of several websites offering updates for Internet browsers like Firefox, Chrome, and Internet Explorer just to name some. Users may encounter these pages by clicking malicious ads.

The bad guys behind this threat made an effort to make this ruse appear legitimate. These pages, as seen below, were made to look like the browsers’ official sites. To further convince users to download the fake update, the sites even offers an integrated antivirus protection:

Instead of an update, users download a malware detected asJS_DLOADR.AET, which was found capable of changing the downloaded binary to have a different payload.

The malicious JavaScript, in turn, downloads TROJ_STARTPA.AET and saved it as http://{BLOCKED}browserupdate/install.exe. Based on our initial analysis, the Trojan modifies the user’s Internet Explorer home page to http://{BLOCKED}, a site that may host other malicious files that can further infect a user’s system.

My colleague Bob Pan attempted to access the related sites via mobile devices. Most of his attempts resulted to an error prompt, except when he tried using devices with Android version 2.3+, in which he was able to download the same file downloaded via a system.

Using the feedback from Smart Protection Network, we uncovered that as of Nov. 23, 2012, France has the most number of infection, followed by the United States and Spain.

Country Number of Infection
France 561
USA 473
Spain 192
Mexico 48
Australia 22

Software vendors release updates regularly to ensure that users get the latest features and improvements. But cybercriminals, unfortunately, may use this as a social engineering lure to hook users into downloading malware. It doesn’t help that these guys are making an effort to make their bogus sites look exactly like the real deal. Last October, we were alerted to legitimate-looking sites offering fake updates for Adobe, which is detected as TSPY_FAREIT.SMC.

To avoid this ruse, users must exclusively download updates from a legitimate source or the software vendor’s official websites. Many browsers also include an integrated auto-update feature. Users should also avoid clicking ads or visiting unknown URLs.

Trend Micro Smart Protection Network protects users from this threat by blocking access to these malicious sites. It also detects and deletes JS_DLOADR.AET and TROJ_STRATPA.AET if found in a user’s system.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Malicious Ads Push Fake Browser Updates

Read more: Malicious Ads Push Fake Browser Updates

Story added 27. November 2012, content source with full text you can find at link above.