Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    May 2013
    S M T W T F S
    « Apr    
     1234
    567891011
    12131415161718
    19202122232425
    262728293031  
    • About Us
    Trendlabs Security Intelligence > Well, Bing My Google!

    Today we have a confluence of several mixed signals, amounting to a bit of confusion and a potential threat. Suppose you were searching Microsoft BingTM for a download of the popular browser, Google Chrome. You may get a screen like this:

    Click for larger view

    And that is just as you would expect it to look. Most people would click the very top link, which is, as it says right on the page, a paid advertisement. You would get redirected to a download page where you could get an immediate connection to download Chrome. This is where that link would take you.

    Click for larger view

    However, if you clicked the Download button, which is the big blue one in the upper right-hand corner, your Internet Explorer (IE) browser would interfere, telling you that this download is suspect of infection.

    And if you would not pay attention to this, you’ll end up having an infected system. Trend Micro threat response engineer Kathleen Notario noted that once the file is downloaded, it is saved as chrome_11.0.696.68.exe (currently detected as TSPY_ONLINEG.MU) in your system. This spyware then drops cleanhtm.exe and cleanhtm.dll into the %Application Data% directory. These files have rootkit capabilities that enable them to hide processes and files. TSPY_ONLINEG.MU also modifies the HOSTS file by adding the following entries:

    • {BLOCKED}.{BLOCKED}.118.187 www.google.com
    • {BLOCKED}.{BLOCKED}.118.188 search.yahoo.com
    • {BLOCKED}.{BLOCKED}.118.188 www.bing.com

    This will eventually direct the user to the IP addresses owned by the perpetrators whenever the listed sites are accessed.

    Funny that the ad server is not aware of threats the same as the browser. I am not pointing fingers here. Expect a lot of similar ruses in the near future though. The world of Internet threats has become complicated enough that gaps in the fence are a regularly occurring security story.

    Irony Supplement

    So who exactly would be using a browser from the largest OS company and its associated search engine to download a different browser from the largest search engine company that now makes an OS and a browser with the same name as competition to Big Redmond?

    The Point

    We live in a developing world. Get all the protection you can stand, especially on your browser. The big boys are not always looking out for you. (By the way, Trend Micro also blocks the site and identifies it as malicious and we have been in touch Microsoft’s Security Response Team about this incident.)





    Share this article
    		 Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon



    This entry was posted on Wednesday, July 6th, 2011 at 10:38 pm and is filed under Bad Sites, Malware . Both comments and pings are currently closed.





     

    Other Trend Micro blogs
    CTO Insights
    CounterMeasures Blog
    Cloud Security Blog
    Consumerization Blog
    Fearless Web
    Internet Safety for Kids & Families
    Simply Security News
    Trend Micro Blog [German]
    TrendLabs Security Blog [Japan]
    Cloud Security APAC
    Trend Micro Free Tools Threat Encyclopedia Trend Micro Videos
    Do you have a product-related question? Visit our eSupport website.

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice