Scott Hanselman

If malware authors ever learn how to spell we're all screwed - the coming HTML5 malware apocalypse

June 29, '12 Comments [84] Posted in HTML5 | Musings
Sponsored By

Forgive the lousy screenshot and transparency in the title bar, but I just got this fake virus popup while searching for an image. I admit for a single moment my heart jumped.

A very scary fake virus popup

Then I thought after a few seconds as a techie (and note that all these observations just happened all at once in my head in no order):

  • The dialog is perfectly centered in the browser. I'm not sure why this was my #1 tipoff, but for me, it was the first thing I noticed.
  • This "popup" was as a result of a browser navigation. If it were legit I'd expect it to happen a little more asynchronously.
  • The word "migth" misspelling in the popup.
  • The fonts in the column headers are anti-aliased with one technique and the rest of the text doesn't  use ClearType while my machine does.
  • Poorly phrased English: "You need to clean your computer immediately to prevent the system crash."
  • There's no option other than "Clean computer." No ignore, repair, quarantine.
  • The word "computer" at the end of the first line goes too far to the right of the grid's right margin. It should have wrapped to the next line. Yes, I'm a UI nerd.
  • Their Aero theme color is GRAY and mine is BLUE.
  • Ctrl-Scroll ZOOMs the image. ;)
  • The URL is obvious nonsense.
  • Adware.Win32.Fraud? Seriously?

It's scary just to look at floating in your webpage there isn't it?

A scary fake virus popup

How is my Mom supposed to defend against this? Windows OR Mac (or tablets) the bad guys are out there, and one day they will finally learn English and put a little work and attention to detail into these things.

One day these things won't be "selectable" to prove to us that they are HTML:

I selected the virus to make it invert its colors to prove it's fake

As we enable HTML5 with local storage, geolocation, possibly native code and  and other features the bad guys will start doing the same with their malware. If you can write Doom in HTML5 there's nothing (except the skill and the will) to keep you from writing adware/scareware/malware in JavaScript. Not just the standard CSRF/XSS type JS - which is bad, I know, I used to be in banking - but sophisticated duplicates of trusted software accurately recreated entirely in HTML5/CSS3 and today's modern JS.

Google Offline Mail and extensions run in the background in my browser now, what's to say some future malware won't? Should we digitally sign HTML5 apps? Do more Extended Validation SSL Certificates? How do you defend against this?

What do you think, Dear Reader?

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by ORCS Web
Friday, June 29, 2012 6:18:14 PM UTC
I am not sure if signing would really help the main problem you pointed out which is the novice user lovingly known as Mom. She has done well with bogus emails which leads me to believe that education will always be king.
Friday, June 29, 2012 6:21:45 PM UTC
This isn't really anything new. It's scareware, and it's been the cause of the majority of infections I've seen in the past year and a half.

The only way to combat it is education. There will be infections--no doubt about it. But I've trained the people I support to contact me before clicking anything, regardless of the message displayed on the screen.
Friday, June 29, 2012 6:21:53 PM UTC
Valid point, Chris, but wouldn't you say that this one (save the misspelling) is still pretty good? How could I expect her to be that savvy and spot this?

I don't know about your Mom, but mine would leave it on the screen, take a picture and call me. ;)
Friday, June 29, 2012 6:22:04 PM UTC
Nice post
Pasham
Friday, June 29, 2012 6:30:33 PM UTC
You're right Scott... there are more than pretty and fancy things on HTML5... I'm pretty syre my mom and dad would have called me immediatly
Friday, June 29, 2012 6:30:43 PM UTC
My mom won't use a computer...problem solved :)
Friday, June 29, 2012 6:32:32 PM UTC
It's intentional to weed out everyone but the most gullible according to Microsoft Research:

http://www.technolog.msnbc.msn.com/technology/technolog/scammers-intentionally-write-lousy-emails-heres-why-837902

[)amien
Friday, June 29, 2012 6:34:46 PM UTC
The non-aliased fonts can also occur in real apps where the author has specified "MS Sans Serif" as it is a bitmap font. There is also a scalable version that will smooth/ClearType called "Microsoft Sans Serif" - I've seen real (older) apps mix the two.

[)amien
Friday, June 29, 2012 6:36:36 PM UTC
What happens when you press the button?
Just wondering how this could hurt you.
Friday, June 29, 2012 6:36:45 PM UTC
This is why we can't have nice things.
Friday, June 29, 2012 6:38:21 PM UTC
... and this is why, I'm already learning HTML 6.
Friday, June 29, 2012 6:44:48 PM UTC
Thanks for furthering their craft and telling them all they need to know to be more effective. ;)
Chris Cyvas
Friday, June 29, 2012 6:46:36 PM UTC
According to this interesting paper from MS Research, hackers and scammers actually get a benefit from mispellings and poor grammar. It tends to weed out anybody who's not extremely gullible: http://research.microsoft.com/pubs/167719/WhyFromNigeria.pdf
Friday, June 29, 2012 6:53:39 PM UTC
In my case, my family can actually dismiss this as fraud given their computer is in perfect Spanish.

Now being my computer is in English, if I saw this, I would be severely alarmed. But the first thing I would tell my people is:

"Check right next to the clock, if the icon down there is other than green then try grabbing then minimize the browser and deal with it, if it minimizes with the browser.... then it's fake"

I remember when these started to pop up back when vista was new. Its all over again. But this time... it has a little bit more of engineering.
Friday, June 29, 2012 7:00:41 PM UTC
HTML5 local storage is isolated on a per domain basis. The content sent down to your browser from custodiannetcomputer.in is prevented from executing when the gmail.com (or any other domain) pages are opened.
Friday, June 29, 2012 7:05:25 PM UTC
Exactly my man that is what I am talking about. Instead of trying to teach them that hey here is how you figure it out it would be call me to look at it or shut down the machine. keep it simple. I give people a hard time that click on a "joke" email from a person that Never sends them jokes.
Friday, June 29, 2012 7:12:45 PM UTC
Browser vendors could implement OCR to scan image text for keywords that indicate fake alerts like this, then alert the user, and forward any results to a central repository that is manually triaged and pushed back to clients in daily updates. This could be done with URLs, specific images, code snippets, etc. I assume some form of this already exists? In addition, the international community could probably do more to bring these criminals to justice.
Matt
Friday, June 29, 2012 7:16:14 PM UTC
I don't know about my Mom calling me if she saw that, the screen shot scared me so much I had to call her.
Friday, June 29, 2012 7:29:23 PM UTC
Just because browser is capable of running Doom doesn't mean it can exhibit same behavior malware does on the system, as these codes shouldn't be able to access anything outside of the context of the site, let alone system file system.

I believe it is mainly a scareware in form of installable application that is a main concern.
Friday, June 29, 2012 7:43:17 PM UTC
Correct me if I'm wrong, but WinRT is sandboxed only you can't install malware. This is a desktop problem.

The answer is to make sure your family only use sandboxed operating systems.
joe
Friday, June 29, 2012 7:47:06 PM UTC
Thank you for bringing this up Scott. Same sentiment here, and I indeed had to explain multiple times to my mom, wife and my daughter what scareware is but I think only my daughter got the idea. So far my solution was to let them use iPad for ‘safer’ web browsing. Technically EV certificates are the way to go but social engineering attacks should be probably countered...'socially' with something like a ‘social reputation’ rank for websites. Suppose you can link your browser bookmarks to your Facebook profile (Zuck sure will be happy). Share it according to your preferences and whitelist or blacklist by domain name or maybe even rank level of your trust. It would be nice to make such recommendations differently for each group of your contacts too. For example, you may want to recommend a site to your adult family members and ban it for children, etc. The only hard requirement I’d put on such list that sites must have an EV cert. Obviously Mom will have to be your Facebook contact (Zuck smiles again) and Mom’s browser, will need to have a trusted mode when only sites trusted by her FB contacts are allowed or have a noticeable indicator with the ‘social reputation rank’ for the site. Also in this mode browser (or a plugin) will intercept and warn about any jump-offs from trusted to untrusted sites or even cut external content like AdBlock. Just thought.
Friday, June 29, 2012 8:00:06 PM UTC
Their Aero theme color is GRAY and mine is BLUE.

BINGO!!!

They don't need trigger to fire. We can avoid to visit their site or take it as it is.

For unsophisticated users - Red is bed, Close your browser, OR educate them in this regards.

Friday, June 29, 2012 8:06:31 PM UTC
They can actually bypass the "selectable" thing by using a css background-image rather than an html img tag.
Tom
Friday, June 29, 2012 8:08:10 PM UTC
Google image search seems to have a big problem with this where a site where the full version of a picture is hosted often gets compromised. I narrowly missed pulling down one of these anti-virus viruses, despite having had two infections of these on a relative's laptop in the past from a similar window which appeared to closely match Microsoft Security Essentials.

I'm expecting it to get a lot worse with more and more active content.
Friday, June 29, 2012 8:14:02 PM UTC
I thought about signing Websites before. I'm very much in favor of it, because it could also protect against someone breaking into the server.

In particular, signing all javascript, css and static images certainly _can_ be done. It may require some additions to HTML5 to allow websites to directly pass JSON (embedded in the HTML) to javascript functions without doing this in javascript.
Johannes
Friday, June 29, 2012 8:16:42 PM UTC
This is why I've run a grease monkey script for a long time that goes straight to the image. As well ad block and all that.
greg
Friday, June 29, 2012 8:47:07 PM UTC
Tom you are not right images are also selectable, even with the background-image

the one CSS for selection is:

::selection {
<put some transparent colors to background and color>
}


for your selection

and as property

* {
user-select: none;
user-drag: none;
}
Friday, June 29, 2012 9:09:02 PM UTC
Real nice, Scott! Way to help the enemy :P
Friday, June 29, 2012 9:13:18 PM UTC
I'm a big fan of the browser telling me when I am at a not so reputable page. When chrome tells me to get the heck out of a website I usually listen to it.

I think as they get more advanced communication is key, the meta of all user experience will make scammers less effective.

Now if only there was a way to get these old people off of IE6 or Netscape Navigator.
Friday, June 29, 2012 9:36:52 PM UTC
I keep trying to deselect that image; it's throwing me off :-)
Friday, June 29, 2012 9:58:44 PM UTC
SSL/SPDY anyone? It's easy for a phishing site to obtain a valid certificate though.

You can do things like these a million ways, e.g. just sending an image attachment to someone's e-mail. What matters is what happens when you click on the link: it probably tries to sell you on something, get your credit card etc, which you must be *extremely* gullible to fall into, and doesn't depend on the fake image at all.
Manny
Friday, June 29, 2012 10:18:45 PM UTC
In my opinion, this is problem the OS itself has to solve.

One would be to allow application installs from one place -- what Windows 8 will do and what mobile OSes have been doing for a while.

Another way would be to have some kind of prompt, similar to a UAC prompt, that shows up every time (no exceptions) you're trying to install an application. It has to show up every time for it to work, and it has to do something other apps can't emulate. For example the entire desktop would shrink by 20%, or some other kind of UI clue, or force them to enter a password.

As long as there's a way to trick people, people will be tricked.
Peter
Friday, June 29, 2012 10:51:23 PM UTC
If it's HTML/JS on WWAHost than
it would be an OS Concern!
Else
a Browser Concern
End If
:)
Friday, June 29, 2012 10:59:37 PM UTC
Please stop using "My Mom" as the standard example for a naive computer user. It's plain everyday sexism.
pfs
Friday, June 29, 2012 11:00:30 PM UTC
You're not still using Web Of Trust?
Friday, June 29, 2012 11:04:56 PM UTC
I've found one of the most effective defences agains this - or any malware - is to only work through the the UI I trust when I'm not sure. If I get an e-mail pretending to be PayPal and asking me to take an action, I go log in to PayPal and see for myself. So in this case, if a prompt comes up that looks like antivirus, I go over to my antivirus in the taskbar and run a scan.

The rule of thumb is not to respond directly to user interface prompts I didn't initiate in some way.
Saturday, June 30, 2012 12:16:55 AM UTC
I kinda feel that the only reason that scareware like this can even exist is that we have been so programmed to manually react to security threats, and I'm not sure this needs to be the case. Why does a security threat even need user interaction?
Saturday, June 30, 2012 1:28:07 AM UTC

That's certainly impressive scareware, I'd click it!

As I understand it, for the most part, the browser and anti virus companies work in isolation.

An idea would be to have centralised 'malware authority' that holds information on known threats , their domains, spamlists , virus signatures etc.

Web clients and/or antivirus companies then subscribe to this authority, and further, obligated to share threat information with a focus on prevention rather than clean up.

Something along the lines of what the various standards bodies like W3C do. The authority could certify vendors as compliant.

Perhaps such is already in place but I haven't heard about it?
Saturday, June 30, 2012 1:35:51 AM UTC
Silverlight, I miss you already.
Silverlight dev
Saturday, June 30, 2012 2:24:08 AM UTC
When I sign into my bank account online, before I enter my password, my "site key" is displayed to me, which is a phrase and an image that I chose, so that I know that I'm giving the legit site my password. Maybe antivirus software could adopt this type of strategy so that any prompts also prominantly display your "key", so you can tell, at a glance, that it's the real deal.
Saturday, June 30, 2012 2:40:48 AM UTC
Clicking to see if it's selectable is probably bad advice; it would be trivial to intercept the mousedown anywhere within the page and trigger the same the same behavior that happens when you click the Clean Computer "button". Frankly I'm amazed that it wasn't written that way.
Saturday, June 30, 2012 3:09:23 AM UTC
I don't use Windows, so these attempts to scare me look hilariously fake and stupid. Of course I'm affected anyway because so many Windows users fall for it and turn their machines into spam bots. Luckily gmail is superb in dealing with spam. In the end a lot of energy is spent and nothing comes out of it, except the occasional chuckle.
Jorge
Saturday, June 30, 2012 3:30:41 AM UTC
Jorge - it is happening on Macs...as we speak.
Scott Hanselman
Saturday, June 30, 2012 10:19:31 AM UTC
Another nail in HTML5 coffin :P
HTML should not be a platform to write applications.
With all web technologies (especially something acient like HTML, DOM, ASP and PHP) young kids learn the anti-patterns of software development and it is the only thing they know.
So they think HTML5 is cool, but there are developer "gods" that created Java or .Net and they should not let "kids" make decision about were the future of development is heading.
It's like incompetent Steve Jobs was telling everyone to start developing web apps for iPhone v1...We know how that turned out...Maybe Microsoft should not have abandoned Silverlight for HTML5 after all :)
Saturday, June 30, 2012 10:30:15 AM UTC
If someone is smart - they would be running MOM's account as standard user account (and not admin) - so there is really not much of an issue even is she installs the crap, cause that crap would run only until she logs-off.
So tell your MOM to shut down computer every day ;)
Saturday, June 30, 2012 10:59:39 AM UTC
Ideally the OS would prevent an application like a browser from doing something evil, even if you clicked the button. That's where IE is going with download verification or GateKeeper on OS X 10.8 which only allows signed code to execute. The security model of iOS prevents apps from accessing the filesystem used by other apps.

What actually happens if you click Clean Computer on a fully patched Win7 machine with MSE and Chrome as the browser?
Saturday, June 30, 2012 1:40:52 PM UTC
I think I am going to agree that this is completely scary but I am surprised that Google Chrome is showing a warning. I tried to open the website and Chrome itself identified it as "Malware Detected!". I am wondering why in your case Chrome continued to render the page and even accept redirection.

Check this screenshot: http://grab.by/etUG

Muhammad Badi
Saturday, June 30, 2012 2:05:11 PM UTC
I think the issue here it's not if everyone of us, that have readed the post, can tell if it's fake or not. Only this year the amount of computers sold is about 174M. Maybe Scott can help me out with the hits that the blog has done so far, and do the maths. Malware development has grown over the last years and it has pass the OS barrier. RSA and Sony's breaches show us that doesn't need to be top tier malware to provoke major impacts (social engineering and SQLi, respectively).
Saturday, June 30, 2012 4:05:52 PM UTC
When I see stuff like this, I think to myself that if it didn't work, they wouldn't bother doing it.

The numerous warnings you saw work as a filter. They improve the conversion rate AFTER the first click by making sure only the most gullible people click through.

See also http://research.microsoft.com/pubs/167719/WhyFromNigeria.pdf
Saturday, June 30, 2012 4:22:21 PM UTC
Muhammad - Because I was the one that reported that site Google. Someone needs to be the first, right? I reported the site after this happened.
Scott Hanselman
Saturday, June 30, 2012 4:45:40 PM UTC
Well, after saying thanks for being the first one to report that I must say that I am impressed by how fast it was blocked/recognized. I thought that would take time until they review and confirm it. Impressive.

Speaking of web, I spent 2 minutes to find Google's malware submission page (http://google.com/safebrowsing/report_badware) and I think an official extension or a-button-kind-of-thing would be much better. I spent 2 minutes, others wouldn't go for that.
Muhammad Badi
Saturday, June 30, 2012 4:48:56 PM UTC
Two minutes? I googled "report bad site to google" and it was the first option. Took 10 seconds.
Scott Hanselman
Saturday, June 30, 2012 4:53:50 PM UTC
I think my search term was a big fail "malware site report chrome" but the results were interesting, tho. people complaining that chrome is displaying a warning for their own sites. My bad, I think. Also, a great catch :)
Muhammad Badi
Saturday, June 30, 2012 5:39:53 PM UTC
@pfs - my Mom actually *is* the least skilled (and malware prone) computer user in our house - self-admittedly. She's also absolutely brilliant in other areas. I don't think it's sexist to use her as an example of someone to be cognizant of when considering the average computer user's skill level in assessing a potential computer threat like this. I reject your conclusion that this is an indication of a sexist attitude... and she agrees. I'm sure other people have mom's who are software developers themselves, and dad's who are the equivalent of Homer Simpson - and surely they would use their dad as an example of the least skilled computer user in the house. It's unclear to me what you're intention is in trolling this blog and saying people are sexist. Scott does not strike me as a sexist type at all, and I don't even know the guy.
Matt
Saturday, June 30, 2012 11:13:06 PM UTC
This was a typo, not a case of "not knowing the spellings" :)
Saturday, June 30, 2012 11:38:03 PM UTC
Just a couple of comments

- One day these things won't be "selectable" to prove to us that they are HTML:


Possible to do, has been possible to do since way before HTML5.

- As we enable HTML5 with local storage, geolocation, possibly native code and and other features the bad guys will start doing the same with their malware.


Local storage is isolated on a per domain basis and it essentially a key-value store of strings.

Geolocation will always ask before locating and it will be inaccurate at best (unless device has GPS)

Native code at least currently seems very unlikely to happen across more browsers than one (Chrome) and it's also somewhat isolated as far as I know and will ask questions before allowing anything to run

- sophisticated duplicates of trusted software accurately recreated entirely in HTML5/CSS3 and today's modern JS.


It has been possible to write sophisticated duplicates of software in HTML/JS for quite a long time. It has certainly become more popular as more and more people are online nowadays.

- How do you defend against this?


All browser features such as you outline are designed with security in mind. Of course it's generally implemented as a box which asks the user whether or not they want to allow that

So in the end the security is only up to user education. Never accept anything you're not sure of.

Any good web developer could do a nearly perfect replication without the flaws you mention. Thankfully it seems malware authors are not good web developers...

On a side note, I love these "Oh no HTML5 is bad because it allows you to do this" comments...
Sunday, July 01, 2012 5:26:17 AM UTC
About 2 years ago, I had a crazy idea. Install Linux on my parent's computer. Amazingly, support calls dropped off immediately. Problem solved. I figure this puts everyone several years ahead of the bad guys actually doing anything to them.

@Matt- you nailed it. My mom can run circles around my dad in computer literacy. Mom can smell when something's not right, dad, not so much. About 2 months ago, someone called and said the computer had a virus or some such (dad picked up). He told mom to not touch the computer because of it, but mom inquired and told him that it was a total fake.
Sunday, July 01, 2012 11:41:00 AM UTC
Switch to Linux.
QS
Monday, July 02, 2012 3:47:18 AM UTC
I've just checked the link with my sandboxie(fied) browser and the link doesn't work. They might have removed the page. By the way I'm not also very good at English, what would be the correct version of "You need to clean your computer immediately to prevent the system crash." It looks fine to me
John
Monday, July 02, 2012 4:40:17 AM UTC
*sigh*
@pfs - your world is a very gloomy place isn't it?

Yes, there are plenty of older dads out there too who know little about computers. But now we're edging towards being AGEIST aren't we?

Scott's choice of target demographic for illustrative purposes is broadly true.
Chris
Monday, July 02, 2012 6:25:31 AM UTC
Put the OS on a chip, like back in the days of Commodore 64's and 128's. Bet it would be really tough to infect my C-128, still woring, but being used as a doorstop.

Does anyone know if there is a browser for it?
Gospace
Monday, July 02, 2012 7:28:01 AM UTC
See what this guy recommends to install on Mom's machine and install it on your own :-)

If you (or Mom) had the Web of Trust installed, this is what you would have seen when visiting an evil site like this. I'm installing this free tool on Mom's machine today. It's a browser plugin that uses other people's experience to augment yours!

http://www.hanselman.com/blog/WhatGeeksNeedToTellOurParentsAboutShoppingOnlineSafelyAndSecurely.aspx
Monday, July 02, 2012 8:25:01 AM UTC
I'm now officially scared. I have two sisters (and wife) that I know could be clicking this button... Hell I might as well after a Saturday night out...

But I have another idea. What if Windows put a user identity icon in window's title bar of every window that gets opened? In that case every window would have your own account image (or your image with some shortcut-like mini icon to system process running windows). That way these images could never have the correct image displayed and users would know that this window is not opened by their OS.

Another question for you Scott: You say that the browser centered image was the giveaway in your case. You browser wasn't in the maximized state then was it? Otherwise it would seem to be screen centered at least in horizontal space.
Monday, July 02, 2012 8:45:48 AM UTC
I mean like this (it's probably not possible to

Window with identity on http://i.imgur.com/qDPNl.png

This identity image could as well be almost completely transparent and when you'd be getting closer to it it would become more opaque also displaying your username or become bigger or something.

This would be jolly hard for malware authors to replicate. The effects can yould be yes, but not the image or name. And this could then be a system-wide solution.
Monday, July 02, 2012 1:32:11 PM UTC
I went to college with a guy that likes to write malware like what your article shows. Immediately I wanted to beat him in the face with a blunt object.

But honestly, spelling aside, it's bound to happen to Mom, Grandma or even Uncle Leo. Facebook has over 900,000,000 users. If I were to write anything, I would like at FB as the doorstep to 900,000,000+ homes world wide. You can send it to millions, and all it takes is a few people that doesn't know any better.

#SadTruth
Monday, July 02, 2012 1:34:16 PM UTC
@John,

"You need to clean your computer immediately to prevent the system crash."

I admit it doesn't jump off the page, but the big thing for me is "the system crash." If anything, it should be "a system crash."

Also, the wording is lazy. "clean your computer." Really? Like get out a bottle of window cleaner and some paper towels?

I started to write a better sentence, but I don't think I need to aid malware developers, but I'm sure if you give it some thought you could come up with something more legit sounding.
Monday, July 02, 2012 4:00:58 PM UTC
I think that if a Microsoft employee discover this problem now I understand now why Microsoft still defend HTML5 and Javascript. God...
Monday, July 02, 2012 6:17:25 PM UTC
This happened to my mother-in-law recently. She had the good sense to ask me about it before she touched anything. I used that as a learning opportunity for her and my wife on how to distinguish between a real security warning and a fake one. I could have gone into depth as you had done in your analysis above but I made it simple for them to understand. I explained that if you could select the title bar and move the window around, then it was probably real. You could also drag the browser window around to see if the other window moved with it.

@Robert Koritnik - I think your idea is an excellent one. Something needs to be build into the OS itself that clearly identifies real windows from fake ones. Custom security images are already used in many online banking sites when logging in so the concept should be familiar to most users.
Monday, July 02, 2012 7:00:58 PM UTC
Very insightful.

This just shows that HTML was never intended to be an application platform. But now that it's being forced to be one, it's almost like we've moved backward in time, forced to re-address problems that were already addressed years ago.
Monday, July 02, 2012 8:25:49 PM UTC
Why can't anti-virus software ask the user to choose an image or a photograph when they set up their software that displays any time they are going to communicate with the user?

This way, my mother could select a photo of say, her granddaughter at Easter, and any time she gets a popup she knows that unless she sees her cute little granddaughter in her Easter dress, that the message is likely a fraud, and she should not listen to anything it says.

But as Scott said, changing your default window color goes a long way to making frauds easier to spot. I hope Microsoft never removes 100% of the UI customization options in Windows.
Tuesday, July 03, 2012 8:55:04 AM UTC
Even if this was successful, it would still require the active installation of some software (the malware) by the end-user. So surely that's where we should concentrate our efforts.

I'm liking Apple's idea of developer certificates on OSX Mountain Lion (Gatekeeper) and vetting apps in the App Store. Also Windows 8 is getting an App Store. If both systems allow some way to force only software from App Stores, or from signed certificates, that would go along way to stopping this*

* I know the new OSX allows you to force App Store & signed apps only, and stop the installing of unsigned/non-verified apps (http://www.macworld.com/article/1165408/mountain_lion_hands_on_with_gatekeeper.html). One of the reason I'm trying to get my parents to buy a Mac, I could set this option and not worry about them getting virus. Hopefully, Windows 8 introduces a similar option.
Dominic Pettifer
Tuesday, July 03, 2012 5:28:34 PM UTC
Guess these Malware Authors need a better QA department!
=)
Wednesday, July 04, 2012 8:32:05 PM UTC
Part of the reason they are setting up the MS store in Windows 8 is it will be the only way to download programs to your machine, no more downloads via the web. Outside of that, all they have to do is sandbox the browser and they can infect things all they want, all you will have to do is restart the browser....
Thursday, July 05, 2012 1:14:20 PM UTC
The Process Exporer tool from Sysinternals has a "find window's process" target icon that you drag over a window to figure out what process is behind it.

It seems like something similar could be built into the OS UI that would show you information that could help determine how "legit" a window is. What process is it running under? What directory is the executable in? When was it installed? Maybe "where did this come from?"

Might not be enough to help mom figure out if something like this is real, but at least if she gives you a call it would give you enough clues to determine if it is bogus.
Friday, July 06, 2012 8:35:14 AM UTC
Well, it seems the solution is obvious after reading the posts.

1. Choose a language other than English. Preferably some obscure dialect.

2. Create some kind of hideous theme with the most terrible colors you can come up with.

Any fake notification will stand out in your desktop.
Now THAT will give those scammers a very hard time ;)
Friday, July 06, 2012 10:31:07 AM UTC
I actually know someone who was a victim of this.

I think the scam went something like this:

1. Legitimate websites are infected with malware that redirects users coming from certain sources (like google) to another page that shows this popup (this reduces the chances that the site owner will actually notice the infection, since they probably visit the site only by direct URL).
2. The user clicks "Clean computer".
3. The webpage uses browser vulnerabilities to install some malware on his/her computer.
4. The malware is essentially the same thing: it pops up every 5 minutes (very annoying) telling that is has found a virus (this time it's a real windows-popup). But this time to clean your computer you have to "buy the full version" of this software. So the user is scammed into giving away money, and possibly their credit card information. I don't know if you actually get rid of the popup that way, but the whole process is made to look as legitimate as possible and will probably fool most not-so-tech-savvy people.

Step 3 is something that should never happen. Yet, in our case the computer that got infected was a work laptop, which was restricted to IE 8, and where the user didn't even have permissions to install anything herself (yet a website seemed to have no problems doing so). The latter also prevented me from removing the malware myself, and the laptop had to be fixed by the company's IT staff, which probably took weeks.
There's a lesson in there somewhere ;)
Andrin Riiet
Sunday, July 08, 2012 11:48:55 PM UTC
I just found an interesting thing that is same with your screenshot.

If you search some picture on Bing.com, then click on the thumb to preview; you will automatically redirect to the malware page:

hxxp://scankeeperguarantor.pl/68efd410a6a48b3c/pr2/2/

Be careful to open the above link.

An example bing link:

hxxp://www.bing.com/images/search?q=todictionary&view=detail&id=047B96ED97DBA8AD5A11480E021747EE010DE568&FORM=IDFRIR

Anything wrong with BING.com,or my computer? :P
Terry
Monday, July 09, 2012 1:06:27 PM UTC
I can't imagine how many savy users would click it without even thinking.

There have always been shysters and conartists. They just adapt to new environments. They exist in the net and outside of it. We educate ourselves or protect ourselves and others from them but they just find new ways. It will be a never ending battle.
Monday, July 09, 2012 4:00:37 PM UTC
Wrong language, Wrong color's, Wrong Font, Wrong every thing...

Just customize your gui. I have mine like the old pascal editor...lol

So i only click yellow text on a blue page !
Tuesday, July 10, 2012 4:01:05 PM UTC
Came across exact same Fake MS Security Essentials Alert on a new domain: hxxp://wormsdetectordanger.pl/fdd91a64ce20e17d/pr2/

Blocked domain at work and reported it to Google.
Wednesday, July 11, 2012 6:36:07 PM UTC
Good post, I am noticing these more and more as well. As technologies progress we are entering into a scary place of what's real and what's malicious.
Thursday, July 12, 2012 7:05:48 PM UTC
Scott - thanks for the post! I've been seeing this kind of behavior elsewhere and was trying to figure out root cause. Is anyone familiar with what has happened on the host that serves this image up?
Thursday, July 12, 2012 11:57:05 PM UTC
This is a heads up for anyone else that lands on this thread. This seems to be hitting some web servers that are hosting ads via 3rd-party ad distributors.

If you're seeing this type of behavior on your site and you serve up 3rd-party ads, you may want to contact your ad provider and see if they're have been reports of this aberrant behavior from other customers.

http://securitywatch.pcmag.com/none/299326-mlb-com-serving-fake-antivirus-via-malicious-online-ads
Wednesday, July 25, 2012 9:59:12 AM UTC
You say you're an UI nerd, so how about making a popup distinguishable again by using...

... focus follows mouse.

Or if you don't want to change focus, maybe add a distinguishable border to the content canvas of the current window... eg. in pseudo-html... body:active {border: #FF0000 2px;}
while the border is visible, you're actually interacting with content within a browser session.

Real popup windows could point out their origin in their title bar.
Comments are closed.

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.