Click to enlarge I used to decrypt the HTTPS communication and reveal the malicious file being downloaded from Google Docs. UPDATE (08/16/13): The rogue Flash Player extension for Apple’s Safari was signed with a valid Safari developer ID. (Hat tip to for spotting it). Fake Adobe Flash Player is known as a browser redirect/browser hijacker. Such products could affect the performance and appearance of all the browsing programs that you have on your PC – Safari, Firefox, Chrome, Internet Explorer, Opera or any other browser could get affected by such a hijacker. It belongs to “[email protected]” with Safari developer ID: E728F995AB. As for Google Chrome, the extension has very invasive permissions: They are shown here in the manifest file: And the actual extension consists of this JavaScript (click to enlarge): In Firefox, the add-on is set to auto-update: — Original story: A fake Flash Player update appropriately named FlashPlayer11.safariextz is making the rounds right now. Shortly after being installed, it will begin to inject very rough advertisements on any website you visit. For example, I visited pbskids.org, a site for children to play games and watch their favorite characters, when all of the sudden a pornographic advertisement was displayed. HTTP traffic capture from Fiddler showing ad networks. It’s easy to guess what the creators of this malicious extension are after. Online advertising is a billion dollar industry and everybody wants to have a piece of it. With such invasive adverts, cyber-crooks are likely to generate a lot of ‘views’ and even pay per clicks. If you believe you are seeing strange or inappropriate ads on the websites you regularly visit, it wouldn’t hurt checking the extensions installed in your browser and removing the offending ones. ![]() For the record, the rogue Safari was not detected by any of the vendors listed in VirusTotal at the time I uploaded it. However, the used to hijack other browsers was (Malwarebytes flags it as Trojan.ClickAgent.FLA). I find it interesting that the bad guys are banking on the fact people are now quite aware of how important it is to apply software updates. This is why you should always install updates from the vendor’s official website to avoid nasty surprises. Jerome Segura () is Senior Security Researcher at Malwarebytes.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |