Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.
Security Community Blog

Misleading applications: How they fool the endusers.

Created: 25 Jun 2009 • Updated: 29 Jun 2009 • 4 comments
mon_raralio's picture
+1 1 Vote
Login to vote

Misleading applications are applications that pretend to do one thing while doing another. A good example are rogue security softwares that decieves or misleads the user into thinking that there are security issues with the computer he or she is currently using and requires the installation of software to remove the “threat”.

They usually use the web browser pop-up and make the user think that this is their Explorer and then shows that it is being scanned. Previous versions just show a small pop-up (similar to when you do something with files, except this one pretends to scan)

I've come upon this at home while surfing the internet. The current websites open are Facebook, Youtube, and Google (3 of the most visited sites in the world). Everybody I know visit this page every now and then and I'm pretty sure there are no malwares in their sites. So there I was, looking into my profile and noticed that one of my friends became a fan of someone. So I moved over to see what the fuzz is all about. Then a few seconds later a new tab opened and shows what seemed like a software scanning my supposed directory. After it finished scanning, it then told me that my computer is infected with threats.

So what did I do? Naturally, I tried to humor myself and let it run for a few minutes while laughing out loud. By the way, please don't try this unless you are prepared for the consequences.

imagebrowser image

It seems to find malwares in places that doesn't exist. I know how I setup my computer and I know there are no files like that on my PC. Plus the drive letters are all wrong. Anyway, what you see in the picture is a webpage trying and failing to bypass the web browser to show the page as a full screen instead of just being in a tab. Also, notice the titlebar on the small pop-up. When I move the pop-up question, it disappears under the tab buttons so I know that it is part of the web page. After finished “scanning”, it gave me a report of the malwares present and gives me the option to Remove or Cancel.

So what did I do next? You've guessed it. I clicked on the equivalent of 'yes'.

imagebrowser image

So the download begins. The makers of this software is good enough to add a script that would automatically execute the file upon completion of the download. But then, my PC doesn't know what to do with the file. It is at this point that I got bored and cancelled:

imagebrowser image

It just comes back again and again. This is where they got me. I cannot stop the pop-up from coming back. I cannot close the tab. And finally, when I closed the browser window and reopened it, all the toolbars are gone! Oh well, just delete a file that saves the last view/configuration of the software and things were back to normal. Yey!

In the corporate world, administrators want to be in control of the PCs in their network. And we should be. It is our heads that's on the line when it comes to the integrity of the system. Users who may not have access to the AV for our fear of them disabling them would think that there is no AV installed since we've hidden that icon and they probably don't even bother looking it up in the Progams. And clicking on these supposedly anti-malwares to install is their ethical thing to do. They'd probably just see what appears to be just their file explorer running with an AV looking into their system and finding all these nasty things in it. Some malwares would also give them the impression that it is finding things that your current AV cannot. Blocking these websites or keywords would only work for a little while until these companies get a new name and webhosting and go at it again.

Aside from having antivirus softwares installed and strictly updated. For the endusers to be aware of this other than the information for their awareness, maybe allowing them to change their desktop and explorer appearances or have your company replace the default appearance with a non-standard one would add another layer, though an extremely thin one, of protection. If an explorer shows up with their non-preset text and color schemes, it should give them cause for alarm. I cannot be certain on the countermeasures for this as I cannot control what each of the endusers does to their PCs. Progammers of misleading applications always finds new ways to fool users and sooner or later, they're probably be good at it to fool enough users in your network to cause major problems. Just be glad that they haven't copied the appearances of well known AVs in the market and be able to get away with it...or have they.

Comments 4 CommentsJump to latest comment

mon_raralio's picture

Did some minor editings. Realigned the pictures. I just found how to edit the blog posts just today. :(

“Your most unhappy customers are your greatest source of learning.”

0
Login to vote
Hear4U's picture

I think we'll probably find more of this in the future, as the "scam" of routing money from tim-buck-to, to the US, is fairly well known at this point....

Eric

check out the community at www.infoblox.com/community

0
Login to vote
Nel Ramos's picture

This is very helpfull...
your experience real pays off..
thanks...

Nel Ramos

0
Login to vote
mon_raralio's picture

Thanks for the comments.

I did try to entertain one of those money laundering scams, the one with the girl seeking refuge to another country. Even when I said no in my most kindest way, the fact that I'm returning emails probably gave them the idea that I was interested. But I have long since deleted those emails. :)

“Your most unhappy customers are your greatest source of learning.”

0
Login to vote