Julien Sorbier, Zscaler: How users can protect themselves against fake AV and other malicious spam
January 2011 by Julien Sobrier, Senior Security Researcher, Zscaler
Popular searches on Google, Bing or Yahoo!, can lead users to fake antivirus, malicious PDF files, Flash exploits, or other types of malware (see the previous articles on search engines hijacked to infect users). Although these types of malware are well known and likely to be encountered by many, there is no silver bullet available to protect users. Rather, users should use a combination of security tools which will reduce their overall risk exposure.
Most browsers utilize lists of known malicious sites, known as URL blacklists, which are updated regularly. Firefox, Safari and Chrome use Google Safe Browsing, a free service provided by Google. Internet Explorer 8 uses SmartScreen Filter, a proprietary Microsoft blacklist. If a user is redirected to a known malicious site, he is warned of the potential danger before the content is loaded. The main advantage of URL blacklists is that they are enabled by default in the browser and there is no additional software to install or configure. But these blacklists do not always contain the latest threats, and certainly not all malicious URLs. It takes time to find new malicious domains, add them to the list, and distribute the lists to all browsers. While an important component of a ‘defense in depth approach, URL blacklists do not on their own provide adequate protection. Internet Explorer 6 and some older browsers do not include any kind of blacklists.
Figure 1. Internet Explorer 8 warning
Antivirus should in theory, be able to detect fake AV executables and today, antivirus engines can also scan HTML pages, PDF and Flash files, and other web content. However, in practice, they do a relatively poor job of detecting new threats. I have regularly checked the detection rate among 40 popular antivirus engines, using fake AV executables gathered during various research efforts. The overall detection rate for new malicious executables is usually below 25%! In fact, the most popular antivirus engines used by home users are rarely able to detect any of the samples submitted to VirusTotal.com, a website which scans files using about 40 antivirus engines. I would still recommend that everybody uses an up-to-date antivirus engine, however, users must be aware that no antivirus engine can detect all viruses, all the time.
Figure 2. A fake AV file was detected by 5 out of 43 antivirus.
“Search Engine Security” Firefox plugin
Zscaler has released a free Firefox plugin called “Search Engine Security”, to protect users from malicious spam pages. As explained in the article entitled “Search results hijacked to infect users“, spam pages check to determine if the request was received from a human with a web browser or from a bot, before deciding to reply with redirection to a malicious site. The idea behind the plugin is to fool the spam page into thinking that the request was made by a bot, therefore the user will not be redirected to a malicious site. This is done by modifying the value of the Referer and User-Agent headers when the user clicks on a search result in Google, Yahoo! or Bing.
Figure 3. Search Engine Security plugin preferences
Search engines, especially Google, have made efforts to clean up their search results. However, some popular searches still contain malicious links on the first search result page. Users must be prudent, and should not rely on their search engine to keep them safe. It is very important to keep the browser, its plugins (Flash, Java, Acrobat Reader) and antivirus up-to-date to decrease the risk of infection. But the best protection is to educate users, and to not download any software from unknown sites.