The Latest in IT Security

On Fake “F-Secure Security Pack” Malicious Browser Extension

07
Aug
2013

We have been following a malicious browser extension that claims to have been developed by various different software companies.

The extension installs itself into the browser and makes posts to social media sites such as Twitter, Facebook and Google+ on the user’s behalf. One of the variants installs itself as “F-Secure Security Pack” — and trust us — it’s definitely not coming from us.

The installer for this malware is commonly a self-extracting Winrar executable, although samples come packed in various other ways as well. We can take a peek at the contents of one of the samples:

Contents of malware installer

The contents give a hint to what the malware installer contains: an extension for both Firefox and Chrome (the .xpi and .crx files).

The executables for this malware are signed using a certificate assigned to a company called “VIDEO TECH PRODUCOES LTDA”:

Certificate information

It’s unclear at this point if the certificate has been stolen or if there is some other connection between the company and the malware samples.

The installer registers an extension with the name of “F-Secure Security Pack” for Chrome:

Foobar

The same happens for the Firefox browser, with slightly different registration details:

ff_ext

Depending on the targeted region, the malware uses different brands as the name of the malicious extension. For example, we’ve seen “Chrome Service Pack” for China, Dr. Web for France and Kingsoft for Brazil:

extension_chrome_pack

plugin_drweb

plugin_kingsoft

The extension itself is quite simple. It fetches an update from a command and control server and uses the information in this update to post to different social media sites. The comments in the source code are in Portuguese, giving also some hints to the origin of the malware:

extension_spanish_text

Here’s an example of the update information the malware fetches from the command and control servers for Brazilian users:

extension_spanish_text

One of the settings automatically retweets a message. This setting was not enabled at the time of writing, but the message to be retweeted is still visible. We can see that this particular message has over 5000 retweets:

extension_spanish_text

F-Secure detects this malware as Trojan.FBSuper or various other heuristic detection names, depending on the variant.

SHA-1: 6287b03f038545a668ba20df773f6599c1eb45a2

Related posts:
  1. Browser extension hijacks Facebook profiles
  2. Malware Hijacks Social Media Accounts Via Browser Add-ons
  3. Yahoo leaks its own private key via new Axis Chrome extension
  4. Google Updates Chrome Browser Again with Security Fixes
  5. Which browser is the most secure?

Tags:  
Written by F-Secure Antivirus Research Weblog
0 Comments

Leave a reply


Categories

TUESDAY, APRIL 23, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments