Click-ad-fraud Kovter malware, packaged as a legitimate Firefox browser update, is being delivered to unsuspecting victims via drive-by-download attacks.
Kovter, which also occasionally installs other malware, has been around for a few years now, and has gone through many changes that keep it a current threat.
“What makes this new variant particularly nasty is that it’s the later fileless version of Kovter, and it’s now using an apparently legitimate certificate,” Barkly researchers have discovered. “That’s bad news because a legitimate certificate causes plenty of traditional antivirus/endpoint solutions to give the software a pass.”
As the company shared their insight with other AV vendors, many of them are now able to detect this variant.
Comodo, the CA that signed the certificate misused by the malware, has also been notified and will hopefully soon – if they haven’t already – revoke it.
Users are advised always to be wary of random pop-ups telling them some software needs an update.
Most software by now – and popular browsers especially – have in-software mechanisms for downloading and implementing updates. If, for whatever reason, they don’t want to use it, updates should be picked up directly from the vendors’ official websites or from well-reputed download sites.
“Good user education can generally go a long way to reducing attacks, but as this particular attack demonstrates, even the best of us can be tricked into installing something that appears to be legitimate, or accidentally doing something we wish we could undo,” the researchers noted.