Fake Browser Updates Drop Shylock Malware

by Carol~ Moderator - 8/20/13 10:16 AM

ThreatTrack Security Labs:

We're no stranger to fake and often malicious Internet browsers that are served up on equally fake and malicious Web sites. These latest samples found by Matthew, one of our threat researchers in the AV Labs, are hosted on the domain, browseratrisk(dot)com.

It is found that once users access pages on this malicious domain with either Internet Explorer (IE), Firefox or Chrome, it opens a fake "update" page for the said browsers and auto-downloads the fake files. Below are screenshots of these pages:

[Screenshot: Fake Firefox - Shylock Dropper]
[Screenshot: Fake Chrome - Shylock Dropper]
[Screenshot: Fake IE - Shylock Dropper]

Users may find it difficult to close and navigate to other tabs after download, thanks to certain loop commands on the page's code, which we've seen before.

If users choose to install the downloaded fake browser updates, it then drops a variant of either Sirefef or Shylock/Caphaw malware, which VIPRE will detect as Win32.Malware!Drop. As you may recall, Shylock had hit the news in January of this year as the banking Trojan capable of using Skype chat to spread. Note that the dropped file may change at roughly every three to four hours.

The website server is also known to house Blackhole Exploit kits. Below are just some of pages of the domain that contains the said exploit:

Continued : http://www.threattracksecurity.com/it-blog/fake-browser-updates-drop-shylock-malware/