Blocking a Fake "Browser Update" Site
[A post from our internal blog last week, the roll-out of which was delayed due a short family vacation... :) The junk site is still on line, and the ad networks are still feeding it traffic, so it's worth a public run. --C.L.]
For the last two weeks (since 10/03), WebPulse has been seeing requests to a site called browserupdation.info (which is one of the better evil site names I've seen; we should seriously try to get this into wiktionary: "browser updation (n): (1) the act or process of updating your browser; (2) a malicious web site, acquiring its victims via malvertising").
It's offering "updates" to several popular browsers:
There are some giveaways to the shady nature of this site:
- The clumsy "//browser name//" instead of the browser you're actually using when you visit the site.
- The boilerplate use of the phrase "We are not affiliated nor partnered with Google Chrome", even if you're "updating" Internet Explorer or Firefox.
- The poor grammar of "Please Update The Latest Version Of ____"
Also, for those who might be using a different browser than the Big Three: When I looked through our logs, I didn't see any requests for Safari or Opera "updates".
I did, however, find an example of a "Thank You" page, presumably in case you took the bait and accepted the "update":
Out of hundreds of visits to the site, I'm happy to report that less than 10% of the visitors were fooled, and actually clicked on the "Accept and Install" button. (I'm even happier to report that WebPulse dynamically flagged all of the install requests as Suspicious, via its "Shady-EXE" module.)
The majority of the victim traffic was coming in from a couple of big WebAd networks: adnxs.com and doubleclick.com. (I've alerted contacts at both companies.)
If we hadn't been on guard, and the EXE payload had gotten through, the detection rates were not very good: only 2 out of 48 AV engines at VirusTotal flagged it when I tested. Since the detection rate was so low, I passed a copy of the file to my colleague Andy for some further analysis, and he provided the following screenshots.
Luckily, we're "only" dealing with a set of PUS (Potentially Unwanted Software) installs, not serious malware.
Hmmm... Even though we're running Internet Explorer, we're getting an "update" to Firefox. (I think this is because the installer I downloaded was probably coded for Firefox...)
Anyway, we're still in Internet Explorer at this point, "updating" it to Firefox, but we're already seeing additional "free offers" -- this notice is for a toolbar from AVG anti-virus:
...and we also get a free app from VideoSaver...
...and from PricePeep. (Hurray! That makes three new things to clog up our browser!)
One of AVG's features is to change your default search provider from Bing or Google to its own secure search, which will attempt to filter out dangerous links from its search results. (Note that this isn't necessarily a bad thing. Blue Coat also provides a couple of "safe search" sites of our own, which are worth a look: k9safesearch.com and wpsafesearch.com -- except that our versions don't just filter dangerous links; they also filter adult content from the results. It's nice to have an extra layer of protection on your searches, since Search Engine Poisoning is such a common attack vector.)
As we complete our "update" to FireFox, we're still in IE for the "Thank you" page...
...and our system is starting to load up with crapware:
Now, Firefox launches:
...and even though we already got AVG's toolbar installed for IE, above, we get it again, for Firefox this time:
In conclusion: It's disturbing that AVG and Firefox, two products that we like, are having their names dragged through the mud by a PUS network. If they are totally innocent in this case, fine. I suppose there's not a lot that a provider of free software can do to keep a fly-by-night site from doing a bundle of their software, and browserupdation.info was registered anonymously, so I understand that going after them for copyright violation would be a hassle.
However, if either company is involved in any sort of "pay per install" arrangement with this PUS network, I would advise them to stop. Gaining a few extra users isn't worth the hit to their reputation from hanging out with deceptive slimeballs. (I might add that the same goes for advertising networks who might be tempted to keep sending traffic to a site like browserupdation.info, because "it's only PUS, not malware" -- even after being alerted to its evil nature.)