Monthly Archives: September 2014

Avira

Browser Extensions that nobody wants… but a lot of people have!

Leave a comment

The marketplace for browser extensions is quite big. With Firefox alone, there have been more than four billion add-ons downloaded. But not every extension makes the user happy:

In the last couple weeks, we monitored rampant spreading of browser extensions with new machinery for harming the user – via the publishing of unwanted advertisements. The list of names of such extensions is long: Browsefox, Swiftbrowse, Betterbrowse, Browsesmart, Browseburst… All share the same two major traits: They user doesn’t want them, and they are hard to remove from the computer.

Of course, we’ve had our attention on this kind of browser extension, with the aim to protect and warn Avira customers about it. We tracked the extensions’ speed of global growth, created specific Avira Intelligent Repair System (AIRS) routines, and adjusted our engine detection to detect these types of unwanted browser extensions.

Finally, with the engine detection pattern “Adware/Browsefox.Gen,” included in Avira version 8.3.24.22, we took the first step forward.

And the first results are incredible:

Since the release of the engine version, we were able to recognize more than 20 million detections in the ‘Avira World’. And regarding the spreading of these extensions: During our initial research, we noticed extreme propagation for the browser extension in Germany. But after the release of the generic detection, we saw that even more regions in the world have these unwanted extensions installed. Now, we can see better their global movement.

extension-worldwide-detections

But what exactly are these browser extensions doing on your computer? Their primary goal is to make money. And, as mentioned, their means of doing such is, after the installation, to publish unwanted advertisements on your computer. For example, it will show coupons with their offers. And this is exactly their means of earning money. With each additional advertisement, the cash flows.

extension-ads

The list of names using this tactic is long. Very long. But if you take a look at some of their “official” websites, you will see that they are all related. They share the same style and options. Only the name of the product changes, along with different photos…

extension-ads-photos

Also interesting is the word ‘official’. We tried to find out the official company or person behind these sites, but there is no official contact information.

extension-blog

How would you get this extension? It would most likely be installed as a third-party software in other setups. For example, if you are looking for a new Internet Browser, search for it in your search engine of choice and pick the first offer – you will get an installer and won´t recognize that this installer was not from an official website. When starting the browser installation process, the extension will also be installed – silently. The behavior of these components is typically the same. They create new folders on your computer in the following directories. Here is one example with the extension ‘BrowseBurst’:

%PROGRAM FILES%BrowseBurst
bin
utilBrowseBurst.exe
BrowseBurst.BrowserAdapter.exe
FilterApp_C64.exe
BrowseBurst.PurBrowse64.exe
BrowseBurst.PurBrowse.exe
BrowseBurst
updater.exe

On the registry, there are some changes made by installing the extension:

HKLMSoftwareBrowseBurst
HKLMSoftwareWow6432NodeBrowseBurst
HKLMSoftwareMicrosoftInternet ExplorerApproved Extensions
Value: %CLSID%
HKLMSoftwareMicrosoftWindowsCurrentVersionexplorerBrowser Helper Objects{%CLSID%}
HKLMSoftwareMicrosoftWindowsCurrentVersionUninstallBrowseBurst
HKLM SYSTEMCurrentControlSetservices%ExtensionName%

The extension may contain options (Browser Helper Object) that the extension will load into the memory all the time. This is why the combination of detection and repair routine by AIRS is so important.

If you like to know more details about the extensions’ behaviors, our virus researchers have created a detailed description:

Adware/Browsefox.Gen: http://www.avira.com/en/support-threats-summary/tid/8495/tlang/en

The post Browser Extensions that nobody wants… but a lot of people have! appeared first on Avira Blog.

ESET

Beware overdue invoice malware attack, wrapped in an .ARJ file!

Leave a comment

If you’ve been messing around with technology for a while, you may remember the good old days of acoustic couplers, ZModem, and Bulletin Board Systems (BBSes).

These were the days before the worldwide web had taken off, when even the slowest broadband speeds would have been sheer fantasy.

And because getting an online connection was slow and sometimes flakey, it wasn’t at all uncommon for techies to compress their programs and downloadable files into tight little packages, to make the download as painless as possible for users. The most famous compression tool of all was PKZip, created by the late Phil Katz, and versions of the .ZIP file format are still widely used today in some circles.

But there were other data compression tools which competed for .ZIP’s crown, each with their own loyal bands of followers. And one of the most famous was .ARJ.

And, to be honest, ARJ was pretty cool.

So you can imagine my delight when I discovered today that .ARJ wasn’t entirely forgotten and consigned to the dusty annals of history. Instead, it is still being used – albeit by malware authors…

Here is an example of a typical malicious email, spammed out by online criminals:

Example of overdue invoice malware

<blockquote style=”margin: 15px;padding: 15px 15px 5px;border-left: 5px solid #ccc;font-size: 13px;
font-style: normal;font-family: ‘Helvetica Neue’, Helvetica, sans-serif;line-height: 19px;”>

Subject: Overdue invoice #14588516
Attached file: invc_2014-09-15_7689099765.arj

Morning,

I was hoping to hear from you by now. May I have payment on invoice #45322407834 today please, or would you like a further extension?

Best regards,
Mauro Reddin

Of course, the social engineering might have been a little better thought out. For instance, the invoice numbers quoted in the email don’t match each other.

But it’s easy to imagine how many users might be alarmed to hear that it is being suggested that they are being accused of a late payment, and would click on the attached .ARJ file without thinking of the possible consequences.

At that point the .ARJ file will decompress, spilling out its contents.

As Conrad Longmoore explains on the Dynamoo blog, inside the .ARJ archive file is an executable program – designed to infect your Windows computer.

Before you know it, your Windows PC could have been hijacked by a hacker and recruited into a botnet. Whereupon the remote attacker could command it to send spam on their behalf, launch denial-of-service attacks or steal your personal information.

That’s why you should always be wary of opening unsolicited files sent to you out of the blue via email.

The good news for users of ESET anti-virus products is that it is detected as a variant of Win32/Injector.BLWX. But if you are using a different vendor’s security product you may wish to double-check that it has been updated to protect against the threat.

The post Beware overdue invoice malware attack, wrapped in an .ARJ file! appeared first on We Live Security.