Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New Rogue Mimics Browser Warnings To Trick Users


  • Please log in to reply
10 replies to this topic

#1 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,259 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:12:26 AM

Posted 07 September 2010 - 03:12 PM

Most, if not all, web browsers these days try to protect the user by detecting and warning about known malicious websites. A new tactic in use by purveyors of rogue security programs involves injecting malicious code into websites that detects which browser the user is running and displays a convincing fake warning:

Posted Image

The user is then prompted to download and install whatever the attacker wants (in this case, our good friend Win7 AV)

Microsoft Malware Protection Center article and analysis.

Win7 AV Removal Guide by Grinler

Edited by Andrew, 07 September 2010 - 03:13 PM.


BC AdBot (Login to Remove)

 


#2 Layback Bear

Layback Bear

  • Members
  • 1,880 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern Ohio
  • Local time:02:26 AM

Posted 14 September 2010 - 08:00 AM

I'm late reading this, sorry. It looks so real I can understand why people would be fooled. When I see something like this I don't click anything. I close browser using Task Manager and run scans. Thank Andrew!

#3 ABNINF

ABNINF

  • Members
  • 397 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Republic of Texas!
  • Local time:01:26 AM

Posted 10 November 2010 - 10:28 AM

This is just about exactly how I downloaded 'ThinkPoint' like an idiot. I feel stupid for doing it. MSE popped up and told me about a threat and asked to 'Clean the Computer'. I told it to do it. After is started removing the threat a new window popped up that said it wanted to send one of the files to Microsoft .... Ok.

As soon as I clicked 'Ok' a new window popped up that was VERY convincing saying MS wanted me to download a new program to clean the infections ... the rest is history.

KC

#4 tnt4me

tnt4me

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal Canada
  • Local time:02:26 AM

Posted 13 December 2010 - 11:45 PM

Hello All
Just wanted to warn our users that there is a potential for possible infection using the website OXID.COM to download the Cain&Abel network "sniffing"program(used for identifying wifi networks ect). Luckily,while attempting to download the program AVG caught it for me and took care of it.I'm not sure if it is the program itself that's infected or the website that replaces the desired program with their nasty infections. So users beware of OXID.COM.

#5 Nawtheasta

Nawtheasta

  • Members
  • 403 posts
  • OFFLINE
  •  
  • Location:New England, USA
  • Local time:03:26 AM

Posted 14 December 2010 - 08:28 PM

Animal responded to this post in a different topic. Animal advised that the bad web site is actually oxid.it

#6 theoldguy

theoldguy

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 28 December 2010 - 03:35 PM

I saw this today on a computer I am removing crypt.aezo from.

#7 Winterland

Winterland

  • Members
  • 995 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Land of Enchantment
  • Local time:01:26 AM

Posted 28 December 2010 - 06:35 PM

Andrew, thank you, thank you.

Showed the screen shots from the first link to my wife so she'd have a stronger idea of how real these rogues can look.

She's prone to a viewing a lot of pictures of George Clooney, Robert Downey, etc and thanks to the ALT + F4 (which I learned about from here) and also the Task Manager trick (which someone previously mentioned) she's been able to stay clean/virus/malware-free (for now!) when the 'pop ups' start to pop up, but it's always a blessing to have Bleeping and the forums to keep us up to date about what is out there, so again, thank you.

Winterland ~

Photobucket removed my cool flag - idiots!

 

Every calculation based on experience elsewhere fails in New Mexico.


#8 jacksonhill

jacksonhill

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 30 December 2010 - 09:57 AM

Most, if not all, web browsers these days try to protect the user by detecting and warning about known malicious websites. A new tactic in use by purveyors of rogue security programs involves injecting malicious code into websites that detects which browser the user is running and displays a convincing fake warning:

Posted Image

The user is then prompted to download and install whatever the attacker wants (in this case, our good friend Win7 AV)

Microsoft Malware Protection Center article and analysis.

Win7 AV Removal Guide by Grinler


Hi. I've received this a few times and I'm pretty sure I clicked on the "get me out of here" the first time. The last time it appeared on my machine, I just closed the window.

How can we prevent this from happening in the future?

#9 Andrew

Andrew

    Bleepin' Night Watchman

  • Topic Starter

  • Moderator
  • 8,259 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:12:26 AM

Posted 30 December 2010 - 01:47 PM

You can't, really, since whether or not the page is displayed has nothing to do with your computer's security. It's just a standard web page that's been crafted to trick you. Your only defenses are to either pay attention to what you click on or disconnect from the internet forever.

#10 Nawtheasta

Nawtheasta

  • Members
  • 403 posts
  • OFFLINE
  •  
  • Location:New England, USA
  • Local time:03:26 AM

Posted 30 December 2010 - 02:40 PM

What is the best way to get out of there if this type page comes up.? Back button or task manager / End application??I assume you DO NOT click anything inside the box.

#11 Andrew

Andrew

    Bleepin' Night Watchman

  • Topic Starter

  • Moderator
  • 8,259 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:12:26 AM

Posted 30 December 2010 - 08:20 PM

I would simply navigate away from the page. But then again, I'm fairly fast and loose with my browsing so more conscientious users may want to close down Firefox the normal way and maybe make sure that the firefox.exe process terminates before starting it up again. You can, of course, mitigate the effects of this and most other attacks by running your browser without admin rights and/or in a sandbox.


What I do in addition to running Firefox with DropMyRights in a Sandboxie sandbox is to use the NoScript addon to neuter 99% of browser-based exploits by not allowing Javascript, plugins (Java, Flash, Silverlight, etc.) and IFrames on untrusted sites.

Using these tools leads to a much safer (and quieter!) web browsing experience while still allowing sites I trust like Bleeping Computer to have rich content, movies, etc.

And by using DropMyRights and Sandboxie, any exploits that do get through will run without Admin rights and in a sandbox that prevents any permanent changes to my system.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users