Friday, May 25, 2012

Fake Antivirus and Firefox Cache Tools

Firefox has some pretty nifty features. One of those is the ability to view the cache contents without any extra tools. This post covers an incident with a fake antivirus popup and how I used the built in Firefox tools to confirm my suspicions.

The Story

This all started when I got a text message from my wife earlier today. This is the image she sent me:
The story goes, our daughter was using the computer and this appeared on the screen. My initial thought was this is a fake antivirus popup. However, we do have Microsoft Security Essentials (MSE) on that computer and the screen shot is convincing. Following the old saying of "you are better safe than sorry"; I told her to shut down the computer and I would look at it when I got home.

The Initial Review

Once at home, I looked more closely at this incident. First, I opened MSE to review the logs and found that nothing was detected in any previous scans (edit: MSE actually calls this History). This starts to confirm the suspicion of a fake antivirus popup.

The next step was to take the cache files from my daughter's profile and put them in a virtual machine. Since she uses Firefox, this is easy to do. If you are interested, explanations of the Firefox cache directories are here.

A quick peek at the history reveals this is definitely fake antivirus related.
The entries for detectionprotectorprocesses.in and "Viruses were found on your computer!" are dead giveaways. At this point you could stop but I will take a few more minutes to show you some of the Firefox cache exploration tools.

Firefox Cache Tools

I start the cache exploration by typing about:cache into the URL bar. This gives you the screen below which is not very useful.
Clicking on "List Cache Entries" starts to look more interesting.
This page can be searched by pressing Ctrl+F. I searched for "detectionprotectorprocesses.in".
The fifth detectionprotectorprocesses.in entry refers to a PNG image file. Clicking on that link takes us to another page, specific to the alert.PNG cache entry.
This page is filled with information. It includes HTTP server response headers and a full packet capture of the PNG image. In the center of the page is a line marked "file on disk". This gives the location on the disk where the cached image is located. I navigated to that location, copied the file to a temporary directory, and renamed it with a PNG extension.
Opening this file removes any remaining doubt about the fake antivirus popup. This recovered image perfectly matches the text message I received earlier today!


Conclusion

I suspect the popup came from the website directly prior in the browsing history, possibly from an advertisement. If that is true, it appears the problem has been remedied. I did look for some contact information on that website, but I did not locate any. I would have preferred to report this information, but I was unable to.

Firefox is a great browser. These cache tools are great for troubleshooting and fun to explore with as well. I am certain Firefox includes many more tools that I don't know about. Hopefully you found something useful in this post. Thanks for reading!