Malicious Pop-Ups Promise Browser Updates But Spread Malware

By Ken Presti
November 28, 2012 2:09 PM ET

Hackers are taking advantage of recent browser updates to trick users into downloading malware. Their malicious pop-ups appear to be genuine but redirect the user to websites where they download malware, rather than the browser update.

Internet Explorer, Firefox and Chrome have all issued recent browser updates, and users are advised to make sure that they only use downloads from trusted sources.

According to the website, stopmalvertising.com, the attack redirects users to a malicious site located at securebrowserupdate.com, leveraging a pop-up window that tells them that their respective browsers are out of date. To make the scam appear genuine, the software behind the pop-up window can typically determine which browser is in use at the time. A number of options are presented for update, but none of the identifiers match current versions of either browser.

Victims who approve the update download JavaScript that drops a Trojan, which apparently resets the browser homepage to another malicious site carrying additional malware.

"The malicious JavaScript, in turn, downloads TROJ_STARTPA.AET and saved it as {Browser Download Path}\install.exe," wrote threats analyst Roddell Santos on the Trend Micro blog. "Based on our initial analysis, the Trojan modifies the user's Internet Explorer home page to http://{BLOCKED}rtpage.com, a site that may host other malicious files that can further infect a user's system."

In some circumstances, the software is believed to offer additional software, including AV packages and service packs, for download.

There is also evidence to suggest that users who access the sites using mobile devices are targeted for fraudulent SMS charges.

"The bad guys behind this threat made an effort to make this ruse appear legitimate," added Santos. "These pages ... were made to look like the browsers' official sites. To further convince users to download the fake update, the sites even offer an integrated antivirus protection."

According to Trend Micro's blog, France and the United States appear to be the most heavily targeted locations for the exploit.

PUBLISHED NOV. 28, 2012

To continue reading this article, please download the free CRN Tech News app for your iPad or Windows 8 device.

Related: Videos | Slide Shows | Comments

SHARE THIS ARTICLE

More Security

Comments by Vanilla

Recent Articles

	10 Security Companies That Have Scored CIA Funding CIA-funded venture firm invests millions in technology startups, mostly security firms. Find out which security companies won In-Q-Tel funding.
	Head-To-Head: Symantec Vs. McAfee In Endpoint Protection McAfee and Symantec are archrivals with a firm grip on the North American security market. CRN pits both vendors' endpoint security products against each other and names a winner.
	The 8 Steps Behind The Massive $45M Cyber Bank Heist More than $45 million was stolen from banks in the U.S. and 19 other countries in a scheme that law enforcement is calling an international conspiracy to drain millions from bank accounts using stolen debit cards and PIN numbers. Here's how they did it.
	More Slide Shows