Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Click Fraud Malware Hides as Firefox Extension

  • Please log in to reply
2 replies to this topic

#1 tork


  • Members
  • 718 posts
  • Gender:Not Telling
  • Location:here
  • Local time:08:32 AM

Posted 30 August 2009 - 08:45 AM

Trend Micro threat analysts were alerted to the discovery of a spyware (detected as TSPY_EBOD.A) purporting to be an Adobe Flash Player update. Upon execution, the spyware creates a Firefox add-on called “Adobe Flash Player 0.2,” the installer of which uses JavaScript (detected as JS_EBOD.A) and appears to spread via forum posts....


...this new Firefox threat, which Trend Micro calls TSPY_EBOD.A, is using social engineering to trick users into installing it.

The extension is being offered on various forums via JavaScript as an Adobe Flash Player update. Once installed, it appears in the Add-ons Management window under the Extensions tab as "Adobe Flash Player 0.2." It is worth noting that the real Flash Player add-on for Firefox is actually a plug-in, which is listed under the Plugins tab as "Shockwave Flash [version number]."

This new piece of malware is actually a click fraud trojan, which injects ads into Google search-result pages. When these ads are clicked, the trojan's authors are receiving a small fee from the advertising network supplying them. ...


Additional information

...So how do you know if you have this trojan on your system? Any of these signs indicate that you’re infected:

* A running process named smc.exe Edit: Sygate Firewall also uses this process name so this is not a reliable indicator of infection.
* A Firefox plugin named “Adobe Flash Player 0.2″
* Having recently installed a file called install_flash_player.exe or Install_Flash.exe from an unknown source ...


Edited by tork, 30 August 2009 - 08:57 AM.

BC AdBot (Login to Remove)


#2 frankp316


  • Members
  • 2,677 posts
  • Local time:07:32 AM

Posted 30 August 2009 - 12:03 PM

Does this only affect Firefox users? It looks like its main purpose is to defraud Google Adsense.

Edited by frankp316, 30 August 2009 - 12:05 PM.

#3 ranger72


  • Members
  • 190 posts
  • Gender:Male
  • Location:Gulf of Maine
  • Local time:08:32 AM

Posted 02 September 2009 - 07:34 AM

Here is another link to ZDNET regarding this security issue: http://blogs.zdnet.com/security/?p=4164&tag=nl.e019

Hope this helps!


Edited by ranger72, 02 September 2009 - 07:35 AM.

So Much To Learn; So Little Time To Learn It In!

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users