Malware authors target Google Chrome

Malware authors target Google Chrome

Summary: Sorry, Windows users. Switching to a different browser than Internet Explorer won't immunize you from malware attacks. The bad guys have begun preying on that misplaced confidence to push dangerous software, including Trojans and scareware. Here's a live, very dangerous example.


Every time I write about Internet Explorer, it's usually a matter of minutes—sometimes even seconds—until someone in the Talkback section proclaims, smugly, that they’ve switched to Google Chrome or Firefox and are therefore immune from malware attacks.

They’re wrong, and malware authors have begun preying on users of alternative browsers to push dangerous software, including Trojans and scareware. The problem is that most malware attacks aren’t triggered by exploits that target vulnerabilities in code. Instead, according to one recent study, “users are four times more likely to come into contact with social engineering tactics as opposed to a site serving up an exploit.”

Follow-up: Malware attempts that use Apple-focused social engineering are now in the wild. I just found one via Google Image search. See for yourself: What a Mac malware attack looks like.

I found a perfect example yesterday, thanks to an alert from Silverlight developer Kevin Dente. He had typed in a simple set of search terms—Silverlight datagrid reorder columns—at, using the Google Chrome browser on Windows. You can follow along with what happened next in the screenshot gallery that accompanies this post.

The first page of Google search results included several perfectly good links, but the sixth result was booby trapped. Clicking that link in Google Chrome popped up this dialog box:

That led to a basic social engineering attack, but this one has a twist. It  was customized for Chrome. If you’ve ever seen a Google Chrome security warning, you’ll recognize the distinctive, blood-red background, which this malware author has duplicated very effectively.

After the fake scan is complete, another dialog box comes up, warning that "Google Chrome recommends you to install proper software."

That’s terrible grammar, and this social-engineering attack is likely to fail with an English-speaking victim, who should be suspicious of the odd wording. But a user whose primary language is something other than English might well be fooled. And the malware author has anticipated the possibility that you might click Cancel in the dialog box. If you do, it still tries to download the malicious software.

Each time I visited this page, the download I was offered was slightly different. My installed antivirus software (Microsoft Security Essentials) didn’t flag it as dangerous. When I submitted it to, only five of the 42 engines correctly identified it as a suspicious file. Less than 8 hours later, a second scan at VirusTotal was a little better. This time, eight engines confirmed that the file was suspicious. Microsoft’s virus definitions had been updated and a scan identified the rogue file as Win32/Defmid.

Panda and Prevx identified the file as "Suspicious" and "Medium risk malware," respectively. BitDefender, F-Secure, and GData flagged it as "Gen:Trojan.Heur.FU.quX@am@e97ci." AntiVir detected it as "TR/Crypt.XPACK.Gen." Kaspersky says it is "Trojan-Downloader.Win32.FraudLoad.zdul." Every other antivirus engine, as of a few minutes ago, waved this suspicious executable right through.

Meanwhile, back in the browser, Google Chrome’s warnings are completely generic. If you download the software it shows up in the Downloads folder looking perfectly innocent.

Interestingly, this set of “poisoned” search terms also affected Bing, although the dangerous search result was on a different site, which didn’t show up until the fifth page of search results. And the download that it offered was, apparently, a completely different Trojan/scareware product. But the end result would have been the same, regardless of which browser I was using.

This case study shows that malware authors are beginning to adapt to changing habits of PC users. There’s nothing inherently safer about alternative browsers—or even alternative operating systems, for that matter—and as users adapt, so do the bad guys.

Be careful out there.

Topics: Social Enterprise, Browser, Google, Malware, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Have you seen one of these attacks in the wild?

    It was interesting to see this attack that targets Google Chrome users. Have you seen anything similar?
    Ed Bott
    • I wish you wouldn't start with "Windows users"!

      @Ed Bott
      It gives everyone else a smug FALSE sense of security!
      • RE: Malware authors target Google Chrome

        @kd5auq - since all of the files that Ed downloaded are .exe files, which don't open in either *nix or Mac without superhuman measures (in Linux, I'd have to manually change the permissions on the file to install it under WINE, for example), it's doubtful that those particular files are of any consequence to anyone but Windows users.

        Of course, I'm forwarding this to several of my Windows clients, so they know to keep an eye out for it, because even if they install it by mistake, I'm the one who gets to clean it up afterwards.
      • RE: Malware authors target Google Chrome

        There are lots of other ways to compromise a Mac other than EXE. Any hacker knows that. Scarier for Mac is how easy it is to infiltrate it without the user knowing it. I much rather have this happen on my PC because when I see something like that at least I know there is a malware attempt.
      • I'll bet if I click on that link in Linux

        ...nothing will happen.

        Please Ed! Tell me I'm wrong! :D

      • RE: Malware authors target Google Chrome

        @rengek: "There are lots of other ways to compromise a Mac other than EXE."

        Really. How would that work? Care to enlighten us?
        Andre Richards
      • There is only so much that can be done with ANY OS

        @LTV10 When you have users willing to click OK and they are logged in as an administrator or root or enter an admin password at a UAC prompt (or enter a root password at the almost identical prompt in Linux). If they know that password and they keep clicking OK and entering it, then they are basically screwed no matter what OS they are using.
      • Typical FUD from somebody who hasn't used it before

        @cornpie<br><br>First of all, I actually did click on that link using Linux Mint and Firefox and nothing happened. No big red screen warning me <b>"Danger Will Robinson! Danger..!"</b>. So in effect, you don't know what you're talking about.<br><br><i>When you have users willing to click OK and they are logged in as an administrator or root or enter an admin password at a UAC prompt (or enter a root password at the almost identical prompt in Linux).</i><br><br>Second of all, <b>by default</b> you log into Linux using a user account. You would have to <b>consciously and deliberately</b> log into your administrator account <b>and then</b> click on the link to see what will happen.<br><br>And thirdly, even if you did <b>consciously and deliberately</b> click on that link after logging in as an admin, what do you expect would happen? Linux doesn't use any of the windoze file extensions in it's system. No .exes No .dlls etc... so what would that malware attach itself to?<br><br>And fourthly, there is no UAC in Linux, but given how windoze-centric you are, I fully understand how you would expect every other operating system and distro in the whole wide western world to copy Micro$oft.<br><br><i>If they know that password and they keep clicking OK and entering it, then they are basically screwed no matter what OS they are using.</i><br><br>And I've given you the reasons above why your premise is patently ridiculous.<br><br>Maybe you should try Linux sometime before you spread <b>F</b>ear, <b>U</b>ncertanity & <b>D</b>oubt.
      • RE: Malware authors target Google Chrome

        double posted
        tracy anne
      • RE: Malware authors target Google Chrome

        An invaluable resource and great addition to my favorites. The new features are well received on this end and will surely help the community share and progress more rapidly.<a href="">Thesis Writing Service</a>
    • RE: Malware authors target Google Chrome

      @Ed Bott , yes - I've seen the exact same thing. I promptly closed Chrome and scanned using MBAM, SAS & MSE. Luckily the machine has been fine.
      • RE: Malware authors target Google Chrome

        I usually use MSE for my primary a/v a/m but MBAM for the little buggers that get through that are fresh. I never have in issue with my computers but then again I know better and keep my stuff up to date.

        If a user does get their machine compromised then tell the user to F8 into safe mode with networking, download MBAM, Update and scan. This happened to my Sister the other day using a non updated machine and running newest Chrome browser.

        I use Firefox 4.0 with Adblock Plus and the malware domains subscription which usually blocks most threats from ever appearing at all. I also use MVPS Hosts file as a main gate bouncer keeping out more crap.
      • RE: Malware authors target Google Chrome

        I had a problem with suspicious activity on a machine running MSE. I ran the latest MBAM and a couple of others and found nothing. I ran an MSE update and re-scanned and got 4 Java criminals. MSE seems to be doing a good job with very recent disease vectors.
    • RE: Malware authors target Google Chrome

      @Ed Bott

      Do a google image search for ciclon and click the first image that comes up.
      • RE: Malware authors target Google Chrome

        Do not download the file, it is malware!
      • RE: Malware authors target Google Chrome

        @cspencer1113 lol what do u mean?
    • RE: Malware authors target Google Chrome

      @Ed Bott

      I saw this a few days ago, someone called me to their computer when the warning popped up. As you said, when I clicked Cancel it prompted for a download.

      The problem with what you have written is that it does not target Chrome in a technology sense. If it were to have executed the code, as opposed to initiating a download, I would agree. Chrome even asked if I wanted to download the file. Any website can attempt a download, it is just that this used the words "Google Chrome."

      In my opinion, this is nothing more than the "You are the winner from [your city]" cons.
      • RE: Malware authors target Google Chrome

        @JamesKelley: That was precisely the point. Browser, not relevent. OS, not relevent (in the larger sense. Other ways to infect *nix and Mac exist using the same social engineering). This example happened in Chrome for the author first and, as he said, would also have happened with Opera or Firefox... or IE.
      • RE: Malware authors target Google Chrome

        I get the point, but I just don't see why you would write such common sense in a tech blog. If this were aimed at 8 year old children using a computer for the first time I would understand, but it isn't.
      • RE: Malware authors target Google Chrome

        @JamesKelley The point that's being missed is that while it would happen in other browsers or OSes, it was designed to look like the warning page of Chrome to fool the end user. I've seen phony pop-up windows designed to look like Microsoft Windows alert boxes telling you to let it install software. Now, I naturally find these windows suspicious when I'm using Linux :-) but up until a few months ago I was using Windows and with less savvy users it could be very hard to tell the difference. The point is that it was specifically designed to fool Chrome users.

        Me, at the moment I'm running Opera on Linux. If I'm generous and assume 2% desktop share for Linux and 2.5% for Opera and ignore the fact that there's probably less use of a closed source browser on Linux than Windows, cause, like, software should be free, man ;-), that means there's probably about 0.0005% interest in targeting me for a social engineering attack. :-) Thanks to my previous comment making fun of other Linux users there's probably about 35% chance of being bitten by a penguin in the next six months however....