Fake Opera 'update' pushes Zbot malware

The criminals were able to disseminate the “update” to some of Opera’s 300 million users for a 36-minute period, meaning they had access to Opera’s infrastructure during that time, the company said in its alert. The malicious file followed the same naming convention as a legitimate Opera auto update file but was much smaller.

As a result, a number of Opera users (the company estimates “a few thousand” Windows users) may have been infected with a nasty trojan downloader that is part of the Zbot family. Upon successful infection, the malicious file searches the hard drive for passwords stored in internet browsers as well as FTP clients.

In addition, after several minutes, the user’s computer may become locked up with ransomware demanding $300.

“This attack and payload are possibly the most effective method to serve malware onto unsuspecting users who are naturally urged to update their software when an update is available,” said Malwarebytes senior security researcher, Jerome Segura, in a blog examining the attack. “The fact that it came from a trusted authority (Opera itself) and was using a digital certificate makes it even trickier.”

While the incident should not discourage end-users from following best practices by keeping their PCs up to date, it also shows that we cannot completely trust files, even when they are coming from reputable vendors. That calls for the implementation of in-depth defense and prevention techniques.

“The bad guys can fool one product but not all (or at least it is much more difficult),” Segura said. “Having multiple layers of defense (anti-virus, anti-malware, browser protection) can stop an attack at different stages before it succeeds.”

He also took Opera to task for its handling of the incident: “While Opera Software coming forward with this information is a good thing, their statement’s title, “Security breach stopped,” does not quite add up since a breach did appear to happen and lead to at least one malicious file being pushed onto users,” Segura noted. “The other troubling thing is the lapse of time between the incident itself and the announcement (one week), which is long enough for malware to do its thing.”

For its part, Opera said that the attack had limited impact, but that it will roll out a new version of Opera that will use a new code signing certificate, “to be on the safe side.” It gave no timeline for doing so.

“Our systems have been cleaned and there is no evidence of any user data being compromised,” said
Opera’s Sigbjørn Vik, in the advisory. “We are working with the relevant authorities to investigate its source and any potential further extent. We will let you know if there are any developments.”

What’s Hot on Infosecurity Magazine?