3

I am aware of this question: Help! My home PC has been infected by a virus! What do I do now? and would adhere to its answer if I had, as this question states, "determined beyond doubt that my home PC is infected by a virus".

However, I haven't determined this. Since I believe this can easily be a generic question, let me say what happened:

  • I followed an outlink from Wikipedia to a legitimate looking site
  • The legitimate site loaded however, after a few seconds, it changed to a clearly fake warning that my Firefox was out of date, prompting me to download & install a new version (which, in reality, was a suspicious file from Dropbox);
  • I left the site without installing the likely malware.

However, now, there are basically two possibilities; either the website got hacked or I have a browser redirect malware installed on my computer. I would assume the former, since I've already have seen legitmimate websites showing a piece of scareware, and this even once happened when I had followed a Wikipedia outlink, BUT... After seeing this fake Firefox download today I tried browsing that suspicious page, reasoning that nothing worse that has already happened may further happen... AND I never saw this scam again. This perplexes me, since all other legitimate-looking websites hacked to show scams were showing them consistently. On each visit. So either this particular website I visited today dealt with the problem minutes after I left it, or the scam is designed to never show itself to one person more than once, or... I have a browser redirect malware installed.

Maybe I shouldn't, but... Since I was unable to find this scam on this website again, I was browsing and working normally for a few hours hoping to spot any irregularities. I didn't spot any.

Since I believe it would be an exaggeration to nuke an entire system from orbit just because a website shows me a scam, how should I make sure that such extreme measures are or are not necessary? I've run a full scan with Windows Defender and no threats were found.

gaazkam
  • 5,607
  • 11
  • 24
  • 37

1 Answers1

1

There is no reason to nuke it from orbit just because it showed you a scam once. If malware is capable of installing itself automatically (a drive-by infection), it would not be trying to trick you into downloading an executable. In general, if malware is to install through a browser vulnerability on its own, it will do so without making itself known. All you saw was malware so limited that it requires the user to execute it manually to do anything harmful.

So, why did you only see it once? There are several possibilities:

  • The malware came from an embedded advertisement, and the ads are on rotation.
  • The malicious download is only presented every n website visits to avoid suspicion.
  • The site was hacked, but no longer is. Compromise can be very brief.
  • As you say, it could simply be that it does not show the same person the scam twice.

The first two possibilities are the ones that I would suspect. Advertisements are almost always outsourced to ad companies, and some of these companies are less reputable (or less secure) than others. It is not uncommon to accidentally approve a malicious ad on a legitimate website. Scams or malicious code is also often served on a random basis. I know of one shock website which creates popups and does other benign (but highly annoying or offensive) activities, but every once in a while will serve actual malware. A site that is not consistent with its malice will last.

If it is browser redirect malware, you still don't need to nuke it from orbit. Browser malware is common and tends to be limited to controlling the browser. This malware, being unable to perform arbitrary actions on your computer, must resort to trying to trick the user into downloading real malware from their browser, because they trust their browser. If you do have redirect malware, reinstalling your browser to remove all settings and plugins is usually sufficient to remove it.

forest
  • 64,616
  • 20
  • 206
  • 257