This morning I stumbled across what seems to be a new technique of propagation of malware: false updates to Google Chrome and false update "media player" which is designed to look like it comes from Adobe.
Both versions are digitally signed by a valid VeriSign code signing certificates. This is not unprecedented, but it is very unusual for malware authors to use an expensive provider such as VeriSign. VeriSign authentication services are now part of Symantec.
The fake Chrome update uses a similar logo of Chrome, but obviously distinguishable from it. The page correctly identifies the version of Chrome led (the current version) and then says that "it can be dated".
The file is called Chrome_Security_Plugin_Setup.exe and is 1.74 MB. The information in the file identifies it as "Express Install" versión "3, 7, 1, 0". The editor, also identified in the VeriSign code signing certificate, it is "Small Installer".
According to VirusTotal Friday morning, five of the 48 products work with recognized the file. Fortinet and ESET recognized as W32/Kryptik. A blog entry of Fortinet since early this year described as a different from Kryptik variant be focused by FTP information theft and complimented the author on the high quality of your code.
The fake Adobe update is a little less clear about which product is imitating. Instructs the user "update your Media Player now [mandatory]" and uses the appearance of an Adobe update.
The file name is "12.exe Flash Player" and 814 KB. The editor in the PE header, and code signing certificate VeriSign is identified as "Software of air" and PE product name is "Adobe Flash Player" versión 2.0.4.54. VirusTotal is 9 of 48 companies that often identify themselves as adware.
I discovered the files by accident. Through a typo in the address bar I went to an address from which the browser was redirected a few times until it ended in a page that loads one of the two attacks described above. I have notified the administrative contact for the domain, which seems to have been parked.
The first time I found the files I have to pages without any problem. Shortly after, Google Safe Browsing API blocked access to them in Firefox and Chrome.
Larry Seltzer has been a recognized expert in technology, with emphasis on mobile technology and security in recent years
Aucun commentaire:
Enregistrer un commentaire