FakeAV Attacks - Increasingly use of Java and realistic appearing product updates

Posted Sunday, October 24, 2010 9:19 AM by hwaldron

Trend shares an informative analysis of how FakeAV attacks are using Java and mimicking IE, Firefox, or other vendor updates realisticaly.  Please be careful when applying all updates.

FakeAV Attacks - Increasingly use of Java and realistic appearing product updates
http://blog.trendmicro.com/fakeav-update-java-vulnerabilities-and-improved-fake-alerts/
http://krebsonsecurity.com/2010/10/microsoft-a-tidal-wave-of-java-exploitation/

QUOTE: FAKEAV doorway pages (a concept previously discussed in “Doorway Pages and Other FAKEAV Stealth Tactics”) are increasingly using Java vulnerabilities. In cases where these vulnerabilities cannot be exploited, PDF exploits are used instead. We detect the said Java and PDF exploits as JAVA_LOADER.HLL and TROJ_PIDIEF.HLL respectively

This isn’t the only way FAKEAV has recently evolved, however. While browser-specific payloads and pages are not new, the pages being served up are more polished than before. Here are samples of two browser-specific pages we saw—one is for Internet Explorer while the other is for Firefox.

Both pages very closely mimic the actual interfaces of the aforementioned browsers. In Firefox’s case, not only did they mimic Mozilla’s site design, they also detected which browser version runs on a particular system. This kind of very specific and well-polished behavior can easily lead users to believe that the alerts they see are legitimate.

Comments

No Comments