[ skip to content ]

Malicious software spreading via Internet browser "Pop-up" windows

Vulnerability Description: Malicious software spreading via Internet browser "Pop-up" windows

Pertinent Details: Commonwealth Security and Risk Management staff have been reviewing reports of malicious software spreading via Internet browser "Pop-up" windows indicating that a virus or viruses have been detected on the local computer. The "Pop-up" window may also contain an alert that an update for the existing anti-virus program is available and should be downloaded to protect the local computer. These "Pop-up" windows will appear while the user is accessing information on the Internet. If the user selects the "Yes" prompt in the "Pop-up" window, the user will be prompted to download an executable file with names that currently include: AntiVirus-360, AV-360, MalwareProtector 2008, and AntiVirus XP 2009. Please note that these file names may change at any time. If users accept the download, malicious code will be installed onto their systems.

The fake anti-virus software is actually a trojan software program that is designed to entice the local user into purchasing a software product to remove malicious software. The fake anti-virus software will issue an alert stating that the local computer in infested with multiple virus programs. In actuality, the only malicious software program installed on the local computer is the fake anti-virus software.

Recommended Action:

Close the Internet browser "Pop-up" window using the "Alt-F4" key combination instead of using the "Close X" at the corner of the "Pop-up" window. The latest versions of the malicious software download routines create a fake "Close X" icon in the "Pop-up" window to trick users into executing the malicious software download command. Do not click on the "No" or "No Thanks" button insider the "Pop-up" window as this button may be linked to a malicious script.

If a user does download any form of the fake anti-virus software, report the security incident. Scan the affected computer with an up-to-date anti-virus product to remove the malicious code.

Use caution when downloading and installing applications. Obtain software applications and updates directly from the vendor's website. Install and maintain anti-virus software, firewalls, and email filters to reduce the amount of unsolicited and unwanted traffic. Also advise users to never open attachments or click links contained in unsolicited email messages. Always examine the URL of a web site. Malicious web sites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain extension such as .com vs. .net. If the legitimacy of an email request needs to be verified, try to verify the origin of the email by contacting the company directly. Never use the contact information provided on a web site connected directly to the email request.

An additional step to help mitigate the risk of this type of campaign is to limit the administrative rights of the local users through the implementation of the Least-Privileged best practice. Granting each local user only those system access rights required to perform the duties assigned to each local user will reduce the impact of any exploit successfully downloaded to the local user's computer.