Bogus Chrome update offers shadow real updates
Malware masquerading as an update from Google makes a DNS request to a site connected to a Zeus botnet created with the Blackhole exploit kit
By Antone Gonsalves
January 11, 2013 — CSO — Google's recent upgrade of Chrome has sparked a new round of bogus updates of the Web browser from cybercriminals hoping to steal online banking credentials and perform other mayhem.
Google released its upgrade Thursday, providing users with higher performing software and patching two-dozen security vulnerabilities. Because Google usually refreshes the browser every six to eight weeks, cybercriminals get a dependable opportunity to lay traps for users.
Mimicking the same tricks used in the past, the snares are set on websites designed as if they are from Google, security vendor GFI Software reported on Friday. The sites urge the visitor to "Update Google Chrome: To make sure that you're protected by the latest security updates."
People trying to download the file while using Chrome will get a warning that they are trying to install a file that "appears malicious." Those who do not hit the discard button will download malware that has been seen on more than a dozen sites since October.
The Trojan, named google_chrome_update.exe, is designed to steal online banking credentials in order to make unauthorized wire transfers to the attackers' accounts. The malware is a member of the Zeus family, which is widely known for stealing bank account data, while also monitoring Internet activity to steal other personal data.
[See also: 10 ways to secure browsing in the enterprise]
Indeed, the malware makes a DNS request to a site connected to a Zeus botnet created with the Blackhole exploit kit, Chris Boyd, a senior threat researcher for GFI, said in a blog post.
"Put simply, you don't want this anywhere near your computer, and users of Chrome curious about updates should simply read the information on the relevant Google Chrome support page," he said.
While bogus upgrades do not follow every Chrome update, GFI expects criminals to set more traps in the future. "We do expect [cybercriminals] to continue using fake browser upgrades to entice users into downloading their malware," said Dodi Glenn, an antivirus product manager for GFI.
Chrome is unlikely to be the only target of such attacks. "There have been several fake Firefox updates in 2011 and 2012 released into the wild," Glenn said.
Early last year, Google added malware download protection to Chrome. The feature blocks downloads from known malicious sites.
Apple Safari, Mozilla Firefox and Microsoft Internet Explorer have similar features. Nevertheless, no technical mechanism is foolproof, and security experts advise people to consider the reputation of the source before downloading a file.
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.