We've seen Fake Flash updates
for several years. A webpage claims that the user is running an outdated of version of Flash
and they require an upgrade of the plugin to watch a video. The fake Flash update is actually a malicious executable.
This type of attack is still going on. Today, I was investigating such a malicious page. The page claims to be from xhamster.com
, a free porn site. The fake video player shows a warning: "You need the latest version of Adobe Flash Player to play this video.
|Fake porn video |
However, instead of downloading a malicious executable, the user is actually asked to download a fake Flash extension. There are different variants for different browsers: .XPI for Firefox, .CRX for Google Chrome, and .EXE (BHO + installer) for Internet Explorer.
|Malicious extension for Firefox |
|Extension installation on Firefox |
|Fake extension installed |
- executable (Internet Explorer): detection by 21/42 AV
- XPI (Firefox): 0 detected!
- CRX (Chrome): 0 detected!
|Fake extension code after deobfuscation |
The current files being pulled are not very dangerous, but that could change in the future. An invisible IFRAME is inserted in each new page loaded. The IFRAME contains advertising from resultsz.com
, and contains a username in the URL. This tells me that the adware author gets money for the traffic sent to this site, even if the infected user cannot actually see what is being loaded.
|Remote file content after deobfuscation || |
The author could change the remote file at any moment to do much more harm, like stealing cookies to obtain access to the user accounts on any site, stealing username/credentials being entered or previously saved, etc.