Downloaded from the Internet
This malware is a malicious plugin for Chrome browsers. It runs a code when users browse Facebook, enabling the plugin to control navigation.
To get a one-glance comprehensive view of the behavior of this Others, refer to the Threat Diagram shown below.
This Others may be unknowingly downloaded by a user while visiting malicious websites. It may be manually installed by a user.
21 Aug 2014
This Others may be unknowingly downloaded by a user while visiting malicious websites.
It may be manually installed by a user.
The malicious Google Chrome plugin is composed of the following files:
The file manifest.json will direct Google Chrome where to load background.js.
It prevents the removal of the malicious plugin. If users open a tab to chrome://extensions to check for malicious browser extensions, the plugin will close this tab immediately.
It removes the security option from HTTP response header. This security option is typically used to avoid cross-site scripting attacks. The plugin removes this as it will will inject script that does not belong to Facebook.
The malicious extensions employ the following evasion methods:
- Use of malicious multi-script files that work together. The malicious behavior is separated into multiple files. If each script file is analyzed independently, the overall malicious behavior may not be spotted and the files may be (mistakenly) thought to be clean
- Use of fake file extensions to mislead analysis
Before doing any scans, Windows 7, Windows 8, Windows 8.1, and Windows 10 users must disable System Restore to allow full scanning of their computers.
Scan your computer with your Trend Micro product to delete files detected as BREX_KILIM.LL. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:
Did this description help? Tell us how we did.