OFFICIAL SECURITY BLOG

Brows(er)ing for Updates

April 24, 2014 | BY

When you update software on your PC, I bet you’d be hard pressed to think of an occasion where it notified you via web browser.

Programs tend to keep themselves to themselves and everything of a notification nature “in-house”…especially where updates are concerned.

More often than not, when you see a notification in your web browser that something needs to be fixed, updated or tweaked it’s usually a sign that somebody wants to make a little money out of you by making some additions to the system (or fill in some surveys).

Over the last few months we’ve covered fake Flash updates, browser updates, Java and YouTube. Here’s a site which focuses more on the various programs on your PC potentially needing updating as a whole as opposed focusing on just one product, located at

updatenowpro(dot)com

with the following landing page splash:

"Nope"

“Updates Recommended! It is recommended that you install the software to ensure your browser is the latest version. Please update to continue”

Update offer...

It leads to a PUP installer which Malwarebytes Anti-Malware detects as PUP.Optional.AirAdInstaller.

Updater program

Once installed, a page opens in a browser offering up a “free gift giveaway” as a thank you for installing which run the range of iPads, iPhones and $100 Target gift cards:

offers

Unfortunately none of them seemed to work at time of testing, but it’s probable that they involve surveys or forms to fill out (while generating some affiliate cash for somebody along the chain).

Updating software is important to keep your PC safe and secure, but those programs don’t tend to ring an alarm bell inside a web browser.

If in doubt, always launch the program directly and click on the update button – you never know what you’ll end up with when trying to do the web-browser update dance.

Christopher Boyd


  • http://www.contosdunne.com PSDUNNE

    Would there EVER be an instance where you’d be notified about an update ended while you’re “in” your browser? (java, silverlight, adobe, anything…?)

  • ianh

    this is a pretty decent tool for updates

    http://www.filehippo.com/updatechecker

  • figgs

    I use FileHippo as well and have for a couple of years. It does a good job. Also Avast A/V has a software checker and it also is good.

  • ianh
  • firefly

    I use all three of these tools combined to give me that extra edge. Definantly worth looking at.

  • Debra Gerik

    I have fallen prey to so many of these types of malware that I finally enrolled in Cisco Networking and Security Courses along some IT Essentials involving computer repair. I am finally getting smarter. It’s especially grateful I am to my IT and Cisco Instructor that I found out about your site. Thanks for your diligence and may all the blessings of God be upon you all. It is going to get so bad we will all have to have more than push the power button knowledge. I’m still praying some super intelligent person will figure out a way to zap the hackers machines even though they use zombie computers to carry out their mischief.

  • https://www.facebook.com/jarlewski Ethan Jarlewski

    I can’t believe this article is on a site dedicated to “Security!” Go and READ how you wrote this article! You wrote it as if, “Oh, I [clicked] on the options in this offering, and [nothing] happened.” It’s written almost as if you ENCOURAGE people to do this! Your VERY FIRST LINE should be THIS *IS* MALWARE – DO NOT TRY CLICKING!

    Instead, you say, “Unfortunately none of them seemed to work at time of testing, but it’s probable that they involve surveys or forms to fill out (while generating some affiliate cash for somebody along the chain).” WRONG!
    1) NEVER *EVER* click on something as suspiciously-crafted as this!
    2) NEVER *EVER* click on anything if you don’t [absolutely] know what it does
    3) You cannot say, “Unfortunately, none of [the offerings] worked;” because, indeed, the moment you clicked on them, they implanted malware on your system. You see, MALWARE is called that for a reason – it is BAD, it does not play by any rules; i.e., “I clicked, so why didn’t the free coupon come up?” DUH, because it’s not SUPPOSED TO! It’s supposed to install spyware, malware, etc. to circumvent any possible security, so it doesn’t care if it actually displays a coupon or offer (which would be ‘fake’ anyway)
    4) Always, ALWAYS do tasks like this on a “throw-away honey pot-type” computer that you don’t care about.
    5) Now that you ADMIT you clicked on this crap, GO TO A *CLEAN* COMPUTER, AND CHANGE YOUR FINANCIAL PASSWORDS, EMAIL PASSWORDS, ETC. BECAUSE THEY *HAVE* BEEN COMPROMISED!

    Anyway, I received the same “pop-up” exactly, when I misspelled craigslist.org as cragslistDOTorg (amazing how much difference one little letter makes ;-)
    BUT I NEVER CLICKED – and you should not either! You should go to Task Manager and terminate any IE, Chrome, etc. processes, so that this pop-up never gets a chance to get clicked.

    The actual “redirect” where this malware tries to go, in my case, is:
    [removed] (and I’m leaving out the rest, as it is not needed) – you get the point – this is BAD, *VERY* bad! Anyway, I just found your article way too ‘calm’ regarding not warning people that clicking on something like this is incredibly dangerous (and stupid)! Granted, at the end of the article, you gave a sort of mild warning, but the rest of the article is so casual as to almost be a “how-to” on “Clicking and testing out Adware.” If you did, indeed, click this malware in a “live, production network,” good luck on any future ‘clean-up’ you may have to do; because, you have no way of knowing if this is harmless adware or if it just installed trojans to steal all your network financial info, passwords, etc. If I were to write malicious malware, I would write it just like this one was crafted, to look harmless, like it just displays “Ads and Gift Card Offers,” while I plant various trojans and other nasty items to collect your information.

  • Christopher Boyd

    “Your VERY FIRST LINE should be THIS *IS* MALWARE – DO NOT TRY CLICKING!”

    Hello, Ethan. There was no Malware, only a potentially unwanted program – telling people there was Malware would be factually incorrect. The first line of the blog highlighted updates in browsers because that’s what the site in question was claiming to push.

    “You cannot say, “Unfortunately, none of [the offerings] worked;” because, indeed, the moment you clicked on them, they implanted malware on your system. You see, MALWARE is called that for a reason – it is BAD, it does not play by any rules; i.e., “I clicked, so why didn’t the free coupon come up?” DUH, because it’s not SUPPOSED TO!”

    I can say that, because that’s what happened. All of the links directed to dead and abandoned advertising URLs which contained no content. Again, there was no Malware.

    “Now that you ADMIT you clicked on this crap, GO TO A *CLEAN* COMPUTER, AND CHANGE YOUR FINANCIAL PASSWORDS, EMAIL PASSWORDS, ETC. BECAUSE THEY *HAVE* BEEN COMPROMISED!”

    I’m not entirely sure if you’re advising me to do this or giving general advice to other readers, but all testing is done in virtual machines on disposable desktops in dedicated testing environments. The only data on any of these machines is whatever false information has been placed there by myself in situations where I want a file to deliberately steal something as part of the testing.

    “Anyway, I just found your article way too ‘calm’ regarding not warning people that clicking on something like this is incredibly dangerous”

    We write a lot of blogs and each one is entirely situational based on whatever happens to be covered at the time. If we screamed that the sky is falling on every blog entry – or by the same token claimed that what is written about above is “dangerous” – we’d be accused of spreading fear, uncertainty and doubt and rightly so.

    A fake update site and a (voluntary) PUP install which requires EULAs to click through to install on the PC is annoying but not dangerous in the sense you’re talking about – there is no data theft, no passwords stolen, no financial information compromised and no Trojans or Malware.

    “Granted, at the end of the article, you gave a sort of mild warning, but the rest of the article is so casual as to almost be a “how-to” on “Clicking and testing out Adware.”

    Every security article showing what happens when installing or browsing a site requires a step by step description of what is taking place, or else how would you know what was happening / had happened? As for mild warnings, the blog couldn’t be clearer that you shouldn’t install updates via random browser messages.

    1st sentence: pointing out that updating your software via browser messages is not common.

    2nd sentence: highlighting that programs update using their own internal mechanisms instead of through your browser.

    3rd sentence: explicit reference to how when updates are seen in a browser, it’s because you’re about to be scammed in some way. “it’s usually a sign that somebody wants to make a little money out of you by making some additions to the system (or fill in some surveys).”

    4th sentence: Links to articles about older coverage of fake program updates, while also using the word “fake” in the sentence.

    There is no possible way that anybody reading could not be aware that they’re reading about a fake program update at this point, unless they had skipped the first four paragraphs. After showing the consequences of the install, the blog closes by reiterating that programs don’t send update messages in-browser, and advises users to hit the update button inside whatever app is asking to be updated. I’m not sure how it could be any clearer to someone reading the entry, but thanks for your comments.

  • https://www.facebook.com/jarlewski Ethan Jarlewski

    There is every possible way – *I* got the impression, thus proving the point.
    I know you mean well but, seriously? If a grandmother or grandfather started reading it; and it said, “…But none of the offers seemed to work when I clicked them;” they may get the impression “Oh, well this fellow seems to be trying this product, so maybe it’s okay.”

    And, for the record, YES, it is “malware.” How do you know exactly what it is? And what it does? You DON’T – and that’s the point. Anything that “does things you aren’t fully aware of,” in my book, is “malware;” and, having over 30 years in the IT industry, I definitely consider “adware” and “suspicious adware” to be malware. You nad no idea whatsoever what this thing does when you click it. Adware is BAD – period! And, that’s assuming you “know” that’s is just harmless adware which, to me, is a conflicting statement – adware is never harmless – it often redirects you, hijacks your browser, subjects you to pop-ups that may look like “something they’re not,” and so forth. “Mal” is from “malo,” meaning “bad.” Adware is “bad”-ware; hence “malware.” You may have some pristine definition of what is and is not malware but, again, in my book, adware is very much in that category and, I believe most truly conscientious security-minded admins would agree.

  • https://www.facebook.com/jarlewski Ethan Jarlewski

    You also have to remember that some folks reading this may not be nearly as technical as the rest of us. My in-laws, for example, would see this as, “Oh, it says my browser needs to be updated; I guess I had better click this.” Plenty of people do not know (nor care about) the difference between “in-browser” notifications vs. “outside-the-browser” notifications – again, the in-laws being a typical example.

  • https://www.facebook.com/jarlewski Ethan Jarlewski

    First sentence – horrible passive construction!
    “When you update software on your PC, I bet you’d be hard pressed to think of an occasion where it notified you via web browser.”

    Better:
    “Always be aware that in-browser updates or random pop-ups are red flags; and are not a typical means of updating your PC; so you should be alarmed by, and wary of, such notices.”

    Sentence #2: What the heck kind of existentialist crap is this?
    (…”keep themselves to themselves.”) What… are you a poet?)

    “Programs tend to keep themselves to themselves and everything of a notification nature “in-house”…especially where updates are concerned.”

    Better:
    “Your browser should not be warning you about updates! Your programs themselves should display typical and expected update notices or, if you have your programs set for auto-updates, you might not even be notified of updates. Again, any odd and/or ‘generic’ updated pop-ups, especially within the browser; or from the browser, should be heavily scrutinized and avoided, unless you know exactly what that update pop-up is doing.”

    Sentence 3 – Really?
    “More often than not, when you see a notification in your web browser that something needs to be fixed, updated or tweaked it’s usually a sign that somebody wants to make a little money out of you by making some additions to the system (or fill in some surveys).”

    Better:
    “In-browser update notifications are a very common hacking mechanism, in order to infect your computer with unwanted software, intrusive untrusted adware and other forms of misuse of your computing and network resources. Such products, if installed, have unknown effects on your computer; and have the potential of exposing you to serious financial and identity theft risks, data damage, ransomware (your data held hostage until you pay a ransom) and, yes, even liability – if you happen to be using corporate computing resources or resources for which you are responsible, but may not own.”

    And here:
    “Here’s a site which focuses more on the various programs on your PC potentially needing updating as a whole as opposed focusing on just one product, located at / updatenowpro(dot)com / with the following landing page splash:”

    Better: “Here’s one such questionable site, with just such a generic, potentially harmful in-browser pop-up…”

    Sorry you can’t take constructive criticism, but I’m just calling it how I see it. Again, I’m keeping in mind my in-laws as a typical example of someone who definitely would not know the intent nor the nature of such an article, unless the article were of stronger, less passive construction. I’m glad at least that people such as you are trying to get these messages out here in the real world; even if those messages may not be completely clear to all who read them. Of course, I am a journalist and an English major, so I tend to be extremely picky when it comes to construction of articles, strengthening of content and messages and overall impact of said articles. Additionally, one of my writing gigs involves writing for the “technically-challenged” crowd, so it keeps me on my toes.

  • https://www.facebook.com/jarlewski Ethan Jarlewski

    And this, again, I strongly disagree with:
    “A fake update site and a (voluntary) PUP install which requires EULAs to click through to install on the PC is annoying but not dangerous in the sense you’re talking about – there is no data theft, no passwords stolen, no financial information compromised and no Trojans or Malware”

    Wrong again, because you have know way of knowing what happens when you click “install” and if you accept an EULA. Do you read all the EULAs? People rarely do. PUP = Potentially Unwanted – and that can mean anything; from mild adware to malicious browser redirection. Again, we differ on the definition of malware – for me, Adware IS malware. At the moment you click “install” and/or “ok” and/or “I accept the EULA,” do you truly want people to believe that you are aware of every single registry entry that gets changed, when that install happens? Heck, I had to BEG one of the largest companies in the world, IBM, to tell me exactly all the registry entries their specific product installed, changed and modified – and, you know what? They did not know! Their “own” product, and their developers did not know all the registry and “.ini” and other pieces that their own software affected; they took weeks, and researched it, and finally gave us that information. Not very comforting. You just cannot assume that something you think is innocent is truly harmless, unless and until, you know exactly what happens when you click “install.” Once you’ve used “procmon” or other such tools, to log every registry, process and file change that happens during that software install; and then you determine the exact impact of those changes, then and only then, can you say, “Oh, it’s just harmless – it just displays coupon offers.” A “pup” is not a small dog; it’s potentially dangerous, and should be treated as such. I’m sure we can agree to disagree on many of these points but, any adware I’ve had has been “malware,” as far as I’m concerned and, in various and sundry ways, it most certainly can obtain information about you, even without your knowledge, once it’s installed – that is, after all – part of the purpose of adware – not just to sell you things, but to find out more about you – tracking cookies, sending information “back home” to the parent site and, as stated, doing “who-knows-what” in the background or while you’re not even using the computer. Seriously, think about it – you click “install” and, for all you know, you just installed the most intrusive browser redirect tool ever invented. Again, adware is one of the methods I would choose to infect a computer, just for the simple fact that many people consider it harmless.