NEWS FROM THE LAB - Wednesday, October 20, 2010

Reported Attack Site! - Security Tool's Latest Trick Posted by Response @ 06:38 GMT

Riding on Firefox's ability to block attack sites, Security Tool, a rogue antivirus application, is attempting a new trick. It wasn't too long ago when it utilized the Firefox Update Flash feature to push its wares.

This time, when an unsuspecting user visits the page, it gets a very authentic-looking Firefox block page.

Reported Attack Page

But, this is no ordinary block page. It is special in the sense that it offers a download that you can install to update your browser!

Reported Attack Page

Brilliant right? So yeah, an unsuspecting user may end up downloading the ff_secure_upd.exe file and installing the rogue AV.

Actually… If scripts are enabled in your browser, you don't even need to click on the "Download Updates!" button. It will just offer the Rogue to you:

Reported Attack Page

And will refuse to let you go if you click "Cancel".

Reported Attack Page

After all you should update your Firefox, right? And it is forgiving in giving you a second chance to download again.

The ironic thing is, the page contains the clause "Some attack pages intentionally distribute harmful software". It might as well have added… "Which you can get by clicking on the button below".

Neat new trick and pretty sneaky. It also might just work. So do be careful when you see a "Firefox" block page, the clean one doesn't ask you to download anything. Here is a reminder of what a clean Firefox block page looks like:

Reported Attack Page

It kinda reminds one of an Alanis Morissette song…

Updated to add: Aiming for maximum distribution, the website apparently also has a block page for Google Chrome:

Malware Detected!

This time, it uses the filename chrome_secure_upd.exe for the rogue AV file.

Finally, there is an iframe within the page that loads a Phoenix exploit kit from a different site.

(Credit goes to Patrik Runald of Websense for this additional information. Thanks Patrik! :) )

Response post by — Christine & Mina