If you want to keep your computers and network protected, you should ensure that browsers are patched as soon as updates are made available. However, end users may be fooled into taking action to keep their computers secure and inadvertently use fake Firefox updates.

Fake FireFox Updates Used to Install the Kovter Trojan

Fake Firefox updates are being used by the gang behind the Kovter Trojan. A new version of the fileless malware has been identified recently, and it is infecting users by posing as a fake Firefox update.

The cybercriminal gang behind Kovter frequently tweak the malware and come up with new ways of infecting end users. Kovter is a particular worry as it can be particularly difficult to detect. Being fileless, there are no actual files to detect. The malware resides only in the memory, and it ensures it is reloaded into the memory each time a computer is rebooted with a Windows registry component.

Kovter can perform a range of malicious activities, such as redirecting users to malicious websites, performing click fraud, downloading other malware, and now also encrypting files. The latest variant discovered by CheckPoint also has ransomware capabilities.

When users visit a malicious or infected website they are presented with fake Firefox updates and are urged to download the latest version to keep their computers secure. Researchers at Barkly discovered that the gang behind the latest Kovter campaign are using a legitimate certificate to fool antivirus engines. The certificate was issued to Comodo, although it has since been revoked. Anti-virus engines are also now being updated to detect the malware and block its download.

Preventing Drive by Malware Downloads

There are a number of steps that can be taken to prevent drive-by downloads of malware such as Kovter. Policies should be implemented that prohibit end users from performing software updates, which should be left to the IT team to handle. Patch management policies should be developed and implemented to make sure that when software updates and patches are issued, they are installed promptly or preferably automatically.

Browsers should never be updated outside the normal update process. To check if the latest version is installed, simply click on the help function, followed by the About option, and the browser will check to determine whether an update is available.

A web filtering solution is also an important security control to employ to prevent drive-by downloads. A web filter can be configured to block access to webpages known to contain malware and restrict access to non-work related websites which carry a high risk of malware infections. Some web filtering solutions – WebTitan Gateway for example – can also scan websites in real-time to check for known indicators of drive-by downloads and exploit kits. WebTitan then prevents the sites from being visited.