October 16, 2015
Trojan named Trojan.BPLug.1041 was found in the Google search results leading to the hacked webpage of a Russian TV Channel. The page is dedicated to a popular Russian series. Later it was found out that some other Internet resources also were discredited. These Internet resources were also connected with TV shows. If a user goes to the infected website from another domain and meets certain conditions (running Windows OS 32-bit or OS X with Intel architecture and any browser except Opera), malicious script opens a cybercriminal page at the tab from which a user gets to the website. A special handler incorporated into this webpage code does not allow to close this tab. If a user presses a key or clicks a mouse, the handler shows him an annoying window at the screen offering to install a browser extension. In addition, cybercriminals distribute this extension as an utility, supposedly created by a well-known anti-virus software developer.
During installation, this plug-in requires a list of particular permissions. After installation, it is shown in the list of Chrome installed extensions under the name of “Щит безопасности KIS” (KIS Security Guard).
Separate function is responsible for showing advertisement. With the help of this function the Trojan analyzes the content of a webpage opened by a user. If its context includes sexual content, Trojan.BPLug.1041 loads advertisement of the corresponding subject from two separate networks. This extension also contains the list of websites where the Trojan does not show advertisement, among such websites are fsb.ru, gov.ru, government.ru, mos.ru, gosuslugi.ru and some other. Trojan.BPLug.1041 sends user ID and data about other Chrome extensions installed at the infected computer to the cybercriminal server. During sending data, server may specify the Trojan which extensions should be disabled.
If a user makes a log in to the “Odnoklassniki” social network, Trojan.BPLug.1041 tries to provide a certain application with the access to the API of this social network under the user name by means of the authorization by OAuth protocol. During this process, privileges are required to change the status, view, edit, and upload photos; viewing and sending messages under the user name and some others. One can assume that this feature is used by cybercriminals for various advertisement purposes, for example, for promoting groups, sending spam messages or affecting some polls.
It should be mentioned that there are three extensions under the name “Щит безопасности KIS” in Chrome extension online store. All these extensions are created by one and the same author, however two of them do not function in a proper way. The total installation number of these three plug-ins equals to 30 thousand.
Doctor Web security researchers warn users not to download and install suspicious extensions received from untrusted sources. If you cannot close a tab, appeared in your browser, you can open Task Manager available in Google Chrome menu and kill the corresponding browser process. The Trojan.BPLug.1041 signature is added to Dr.Web virus database, and the websites where this Trojan has been distributed are added to the list of the websites not recommended for visiting. The administration of the hacked websites has been timely warned about the incident.
Tell us what you think
You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.