Jump to content
  • entries
    83
  • comments
    41
  • views
    25732

IE9 versus Chrome: which one blocks malware better? The answer is IE9


Jordan_Tsafaridis

526 views

 Share

Αγαπητοί συνάδελφοι της κοινότητας,

 

Στις 26-4-2011, έλαβε χώρα ένα εξαιρετικά εμπεριστατομένο τεστ αξιοπιστίας και ασφάλειας μεταξύ Microsoft Internet Explorer 9 και Google Chrome. Σας παραθέτω παρακάτω τα αποτελέσματα αυτού του τεστ αυτούσιο στην Αγγλική γλώσσα καθώς και τα σχετικά link στο διαδίκτυο. (Ελπίζω να σας φανεί χρήσιμο)

 

Last week I looked at a fascinating sample of malware that specifically targeted users of Google Chrome.

Over the past few days, I’ve been looking more closely at this

particular malware attack, which appears to be widespread and extremely

persistent.

 

 

 

Social engineering has become the dominant method of distribution for

fake antivirus software. And most modern browsers, with one exception,

do a terrible job of dealing with this type of threat. Current builds of

Chrome display a terrible flaw that puts you at greater risk than its

competitors. In my testing, a malware author was able to exploit Chrome

in four easy clicks. In stark contrast, Internet Explorer 9 used some

new technology to flag the exact same sites and files as suspicious,

providing unmistakable warnings that have been shown to stop 95% of

these attacks in their tracks.

 

 

 

I’ve captured the experience for both browsers in these two videos and in an accompanying screenshot gallery

so you can see for yourself. And if you make it to page 3, you’ll read

about the new reputation-based technology that’s given IE9 the lead.

 

 

 

First a little background. Fake antivirus software has been around for

at least seven years, but this category of attack has exploded in

popularity among bad guys in recent months. The technique is simple

social engineering, and it works by scaring the target into thinking

their system has been infected with a virus (or a whole bunch of them)

and then offering to fix the problem—for a fee. The fake AV software

often downloads additional Trojans and can actually cause the sort of

problems it claims to be solving.

 

 

 

Here’s how it goes when you’re using Google Chrome 10 on Windows 7.

Notice the attention to detail that the malware authors used in this

attack. The dialog boxes and warning screens certainly look like they’re

part of Google Chrome. (I recommend clicking the full-screen button in

the lower right corner of the video clips below so you can see all the

details in each one.)

 

 

 

 

 

Now here’s an attack from the same set of search results, this time

gathered using Internet Explorer 9. The fake scan is a pretty decent

imitation of a Windows 7 security screen. But the result is different.

 

 

 

 

 

 

By Ed Bott | April 25, 2011, 7:23pm PDT

Malware authors target Google Chrome

Every time I write about Internet Explorer, it’s usually a

matter of minutes—sometimes even seconds—until someone in the Talkback

section proclaims, smugly, that they’ve switched to Google Chrome or

Firefox and are therefore immune from malware attacks.

They’re wrong, and malware authors have begun preying on users of

alternative browsers to push dangerous software, including Trojans and

scareware. The problem is that most malware attacks aren’t triggered by

exploits that target vulnerabilities in code. Instead, according to one recent study,

“users are four times more likely to come into contact with social

engineering tactics as opposed to a site serving up an exploit.”

Follow-up: Malware attempts that use Apple-focused social

engineering are now in the wild. I just found one via Google Image

search. See for yourself: What a Mac malware attack looks like.

I found a perfect example yesterday, thanks to an alert from

Silverlight developer Kevin Dente. He had typed in a simple set of

search terms—Silverlight datagrid reorder columns—at Google.com, using the Google Chrome browser on Windows. You can follow along with what happened next in the screenshot gallery that accompanies this post.

The first page of Google search results included several perfectly

good links, but the sixth result was booby trapped. Clicking that link

in Google Chrome popped up this dialog box:

6221510-362-139.jpg

That led to a basic social engineering attack, but this one has a

twist. It  was customized for Chrome. If you’ve ever seen a Google

Chrome security warning, you’ll recognize the distinctive, blood-red

background, which this malware author has duplicated very effectively.

6221511-610-461.jpg

After the fake scan is complete, another dialog box comes up, warning

that “Google Chrome recommends you to install proper software.”

cross-platform-malware-chrome-003-small.

That’s terrible grammar, and this social-engineering attack is likely

to fail with an English-speaking victim, who should be suspicious of

the odd wording. But a user whose primary language is something other

than English might well be fooled. And the malware author has

anticipated the possibility that you might click Cancel in the dialog

box. If you do, it still tries to download the malicious software.

Each time I visited this page, the download I was offered was

slightly different. My installed antivirus software (Microsoft Security

Essentials) didn’t flag it as dangerous. When I submitted it to VirusTotal.com,

only five of the 42 engines correctly identified it as a suspicious

file. Less than 8 hours later, a second scan at VirusTotal was a little

better. This time, eight engines confirmed that the file was suspicious.

Microsoft’s virus definitions had been updated and a scan identified

the rogue file as Win32/Defmid.

chrome_attack_detected.jpg

Panda and Prevx identified the file as “Suspicious” and “Medium risk

malware,” respectively. BitDefender, F-Secure, and GData flagged it as

“Gen:Trojan.Heur.FU.quX@am@e97ci.” AntiVir detected it as

“TR/Crypt.XPACK.Gen.” Kaspersky says it is

“Trojan-Downloader.Win32.FraudLoad.zdul.” Every other antivirus engine,

as of a few minutes ago, waved this suspicious executable right through.

Meanwhile, back in the browser, Google Chrome’s warnings are

completely generic. If you download the software it shows up in the

Downloads folder looking perfectly innocent.

Interestingly, this set of “poisoned” search terms also affected

Bing, although the dangerous search result was on a different site,

which didn’t show up until the fifth page of search results. And the

download that it offered was, apparently, a completely different

Trojan/scareware product. But the end result would have been the same,

regardless of which browser I was using.

This case study shows that malware authors are beginning to adapt to

changing habits of PC users. There’s nothing inherently safer about

alternative browsers—or even alternative operating systems, for that

matter—and as users adapt, so do the bad guys.

Be careful out there.

 

 

 Share

0 Comments


Recommended Comments

There are no comments to display.

Guest
Add a comment...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...