"Windows Security" page in IE8

Discussion in 'Virus Information' started by MIG, Jul 31, 2011.

  1. MIG

    MIG Guest

    Today I was browing using IE8 on XP and a, surely fake, "Windows
    Security" page came up, appearing to find a number of plausible
    looking threats and offering me a button to "start protection". There
    were some red flashing warnings, including one saying that Windows
    Security was infected. All very clever.

    The thing is, this was in IE, but was made to look like Windows
    Explorer, and the address bar wasn't showing anything local but
    showed

    http://xpqwxcgroupxp.com/index.php?06abQDYyQRXGVGn8+X1m3cOoKWo+ZHQ6eFFeJn2qUV5UMsMiFCqKftY70V8gi85VGnM=#

    The thing is I didn't know if getting this meant I already had an
    infection or that I would only get the infection if I clicked on the
    button that the page was offering.

    My first reaction was to disconnect from the Internet, following which
    I ran a full Sophos scan, which found nothing.

    I saved the page as an MHT file but, interestingly, IE won't let me
    view it now because of ActiveX components. So why did it let the page
    open in the first place?

    I am pretty sure that I was only browsing IMDB at the time it all
    popped up.

    Has anyone got any more insights into this, or seen anything quite
    like it?

    Thanks.
     
    MIG, Jul 31, 2011
    #1
    1. Advertisements

  2. The security paradigm differs between the desktop (userland) and the
    browser. It is more important to not execute stuff on the desktop (a
    trusted zone) than it is in the browser (a not so trusted zone). These
    scripts seem to run just fine within the browser (and they are only
    trying to convince the user to do something stupid later) but the
    'alert' about Active-X only happens when you have transported the script
    out of the "Temporary Internet Files" location to a less secure location.
    In my limited experience these things don't actually do any harm until
    you go further and hit "remove all" or whatever the button says - and
    *then* you get a download dialog box, which you shouldn't *run*. I
    usually *save* the downloaded file so I can have a look at it out of
    curiosity.

    Some recently have thwarted that effort (won't let me *save* it - and I
    didn't even try to *run* it).

    That being said, sometimes the same webpage that offers the actual
    malicious download also contains exploits that attempt to download and
    execute the malware without even asking the user.

    I'm guessing that you avoided being infested with one the the latest
    Fake-AV type of scareware (malware). As for anything quite like it, I
    used to see quite a few of these things - but lately they seem to have
    shifted to scaring the user with purported porn files being found.
     
    FromTheRafters, Jul 31, 2011
    #2
    1. Advertisements

  3. MIG

    MIG Guest

    Aha; that makes sense.

    I can certainly see how a page like the one I saw could trick someone
    inexperienced. In a way, it's a byproduct of there being so much
    security these days. A while ago, there wouldn't have been any such
    thing as Windows Security, and people would be far more wary of being
    asked to click on anything.
     
    MIG, Aug 2, 2011
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.