Security Alert: Browser Plug-Ins May Be Malware

— -- The Sans Institute has uncovered more evidence that internet attackers don't necessarily need any clever technical tricks to plant malicious software on users' systems -- an understanding of psychology will do just as well.

Click Here!

In a bulletin on Friday, Sans' Internet Storm Center (ISC) described a website that led to several users mysteriously becoming infected with malware. Part of the mystery, according to ISC handler Bojan Zdrnja, was that the site didn't use the nearly universal technique of an iframe, which allows exploit code to be siphoned in from another website.

"It's pure social engineering -- the user is actually encouraged to install the malware himself," Zdrnja wrote.

He said the site -- which is related to the game RuneScape -- shows some broken icons and links to a page that informs the user that his version of Macromedia Flash Player needs to be updated.

"After this notice, the user is redirected to a web site hosting a complete replica of the Shockwave Player Download Center," Zdrnja wrote. All the links on this page lead to Adobe's website except for the "install" link.

As a precaution, the page also uses JavaScript to disable right-click actions. Users download the malware themselves via an installer that was difficult to detect by most virus scanners, Zdrnja said.

He said the site demonstrates that attackers can infect users merely by lulling them into a false sense of security. "Technically this attack wasn't even worth the diary, however, the appearance could probably fool a lot of users," Zdrnja wrote.

The attackers didn't even bother to conceal the non-Adobe web address of the download page -- but because the page looks genuine, most users wouldn't even think to check the address bar, Zdrnja pointed out.

"Would SSL help here? Yes, but again only if users pay attention, and in this case they would first have to be trained to check for it when downloading files, and that's another story," he wrote.