Fake Firefox update delivers malware, exploit kits

Malicious webpages masquerading as browser updates are being used by attackers as launch pads for Trojan viruses and exploit kits.

Malware researchers at GFI Labs have identified a website being used to trick Firefox users into updating their browser. The phony site is being used as a launch pad for malware.

Researchers have discovered a website tricking users into downloading a fake Firefox update. The site conducts a phony security scan and prompts the victim to install malware on their machine.

Parveen Vashishtha,
Symantec researcher

The site, which has been shut down, contained a Mozilla Firefox logo and a malicious executable file. Visitors to the site were greeted with a fake scan, a technique commonly used to push rogue antivirus software. After the bogus scan, the site suggests the user update their browser in order to be more protected from “different Internet dangers.”

The user is prompted to download the executable file, which GFI detected as Trojan.Win32.Generic!BT. Once the malicious program is installed, the malware opens new windows or tabs in browsers that direct to different survey pages.

“Based on multiple tests, minutes after the said pages load, this executable connects to various websites to download and install random programs, some of which may be legitimate,” said Jovi Umawing of GFI in the company’s blog. GFI Labs also identified several other websites running similar scams.

The technique, while not as widely used as fake antivirus or phishing, is not new.

A similar phony browser update scam was detected by Symantec in 2010. In that attack, according to Symantec, a dialogue box apparently forced Firefox and Chrome update notification windows to pop up. Once downloaded, the executable looks like a variation of Security Tool, a scareware application that displays exaggerated pop-ups.

“If more savvy users don’t download the misleading application executable, then these websites will redirect users to a website that, in turn, further redirects to a malicious website that is hosting the infamous Phoenix exploit kit,” wrote Symantec researcher Parveen Vashishtha.

Phoenix, which is heavily protected against detection by antivirus software, exploits vulnerabilities in Web browsers to deliver additional malware into the system.

Attackers have also attempted to trick users into installing bogus Microsoft security updates.

Dig deeper on Malware, Viruses, Trojans and Spyware

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close