Threat Spotlight

For the week of 21 Sep 2009
Threat 1

Fake Firefox add-on Trojan spies on web activities

Threat Name:

Trojan: Troj/FFSpy-A

Users at Risk:

Firefox users

Also Known As:

  • Kaspersky: Trojan-Spy.JS.FFSpy.a
  • Ikarus: Trojan-Spy.JS.FFSpy
  • Symantec: Trojan Horse

Removal Instructions:

Please follow these instructions on how to remove Trojans.

About:

Troj/FFSpy-A is a fake "Adobe Flash Player v0.2" Firefox add-on, which monitors and intercepts web requests and then reports them to a third party.

The Trojan takes advantage of heightened security awareness following recent updates to the Firefox browser and Adobe Flash Player plugins. (Note that the latest version of Firefox will check that the installed Adobe Flash Player is up to date and warn users if it finds an insecure version.)

The Trojan arrives as a 55kB NullSoft installer using the official Adobe Flash icon. When launched, FFSpy-A creates and installs into the directory:

<CurrentUser>\Application Data\Adobe\Flash\

The active components are files named:

  • install.js
  • google.js
  • overlay.js

The malware will install even if Firefox is not present. Once installed, the add-on will appear in Firefox's add-on menu as "Adobe Flash Player v0.2." The option to disable the add-on is available; however, the uninstall function is not.

Threat 2

Malware lures users to download fake anti-virus

Threat Name:

Malware: Mal/FakeAvJs-A

Users at Risk:

Windows users

Also Known As:

  • Avira: HTML/FakeAlert
  • McAfee: HTML/FakeAV
  • Microsoft: Trojan:JS/FakeIA
  • Symantec: Trojan.Fakeavalert

Removal Instructions:

Please follow these instructions on how to remove generically detected files.

About:

Mal/FakeAvJs-A is a Trojan found on pages that display fake security scanning results and claim that there are threats on your computer. These pages also encourage you to download fake security software, known as FakeAV, from related websites. They will typically use repeated pop-ups and offer to download the software even if the user initially refuses. In some cases, the fake scanner may be automatically installed using browser vulnerabilities.

Users are directed to the fake scanning pages using social engineering techniques and search engine optimization, luring them with seemingly relevant search results. The static content of the fake scanning pages is normally done in HTML—JavaScript is normally responsible for dynamic content such as a scanning progress bars, displays of bogus threats and display popups.

The fake scanning software (installed as a result of visiting sites hosting Mal/FakeAvJs-A) is usually a member of the Troj/FaveAV family.

Threat 3

Malicious ads on New York Times website lead to Trojans

Threat Name:

Trojan: Troj/JSRedir-W

Users at Risk:

Windows users

Removal Instructions:

Please follow these instructions on how to remove Trojans.

About:

Between September 14 and 15, criminals used ads on the New York Times website to deliver false warnings about malware infections in an attempt to sell fake security software.

In order to carry out this attack, criminals bought ad space on nytimes.com by persuading the company that they were legitimate advertisers from Vonage. The criminals then posted ads containing a JavaScript Trojan, Troj/JSRedir-W, onto the New York Times website.

Innocent users who viewed the site saw pop-ups warning them of malware infections and were subsequently redirected to a site running Mal/FakeAvJs-A (see spotlight above). The malicious website delivered a fake security scanner known as Troj/FakeAV-AAS.

The attack via the New York Times website ended at around 2pm GMT on Monday September 15.

The malicious websites involved were based in China and used names based on popular celebrities or television shows, such as sex-in-the-city and Russell-brand. The sites delivering the fake security software were called protection-check07, online-antivir-scan09 and similar names. Both sets of sites were hosted on the same server.

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy