Google Chrome Critical Error Red Screen

I had the google chrome critical error red screen while browsing the weather station in the google chrome browser today. I've included a screen shot. I had to use task master to log off as clicking the red x to close was inoperative. It appears the hacker was trying to hold me ransom! This is the first time in a very long period I’ve experienced any problem with google chrome. I deleted the browser history, etc. and ran CC CLEANER. It has not appeared since. It never showed up in MSE, no warning or quarantine. Is the google chrome critical error red screen something to be concerned about as far my computer system is concerned?

Another concern is this Trojan:JS/Flafisi.C and Trojan:JS/Flafisi.D  that  show up 2x to 4x daily while I’m surfing the internet. I have been using ie11 and surfing yahoo internet for 3 to 4 years and have only seen MSE detect and quarantine other threats only 4 or 5 times in the past. MSE is now detecting and quarantine Trojan:JS/Flafisi.C and/or Trojan:JS/Flafisi.D malware much more often. I have informed the Microsoft community about the Trojan:JS/Flafisi.C and/or Trojan:JS/Flafisi.D  a few days ago.

I use both ie11 and google chrome browsers for different applications and surfing the internet. Does anybody know why there has been a substantial increase in malware, threats, viruses, etc. in the past few months?

Thank-You

 

* Please try a lower page number.

* Please enter only numbers.

* Please try a lower page number.

* Please enter only numbers.

Your screenshot proof it is scam and you should just terminate it.

Try update Windows and your Anti-Virus software and run a full system scan with it, also run scan with Windows Defender Offline:

https://support.microsoft.com/en-us/help/17466/windows-defender-offline-help-protect-my-pc

16 people found this reply helpful

·

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Did you read the reply to your post from March 25th? 

https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning-windows_7/trojanjsflafisic-trojanjsflafisid-threats-from-the/ac649263-18a7-4ab1-807b-72f40b23f8a2 

It's basically the same issue (but with a different popup) that others are seeing on the internet.

I saw it again yesterday for the first time since last month using Chrome on Win 10 - I also had to access Task Manager using Ctrl, Alt Delete to shut it down.  Aggravating but fixable.

If you'll get an adblocker as recommended in 

https://answers.microsoft.com/en-us/protect/forum/protect_defender-protect_scanning-windows_10/trojanjsflafisid/ac4083ba-61de-4664-8c9e-df9012899ab5 that may help prevent this from occurring.

MVP Consumer Security 2014-2016
Windows Insider MVP 2016-2018

5 people found this reply helpful

·

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

This is a template that’s being used for different browsers, and I’m still seeing it, along with the fake Adobe Flash Player update (Trojan:JS/Flafisi.D) on the MSN news portal in Edge:

We’re almost certain now that this is the handiwork of a very widespread malvertising campaign, but why no one seems to have picked up on it yet is a mystery to me. These recurring detections are easy to explain if we assume that the attack vector is a compromised advertising domain – because the compromised domain gets another chance to deliver one of these malware-site redirects every time it gets reconnected to the host site, and we can thus explain these repeated attacks without postulating the presence of any persistent malware:

And in fact, many of us have actually been able to manage this issue by just installing an ad-blocker extension like uBlock Origin  which selectively prevents any suspect advertising domains from connecting to the host site. Although uBlock Origin also includes some granular script-blocking features, I’ve been able to manage the issue here with just the domain-blocking features that are enabled “out of the box”. Ad-blocker extensions for Edge are available directly from the Edge Settings menu:

Settings and more > Extensions > Get Extensions from the Store

And the documentation; and instructions for installing uBlock Origin on other browsers, are available here:

https://github.com/gorhill/uBlock

GreginMich

7 people found this reply helpful

·

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

For anyone that is interested, I was not so really all that concerned by this page appearing, I was more amused at how bad it looked and more interested to find out how it got there.  Everything I found pointed to an amateur (like really amateur) operation.  However, I was interested how the code managed to compromise the windows UI (so you couldn't close the window) and also decided to investigate whether it was locally generated (from an existing nasty on the system) or if it would have been 'sent' from an outside server.

In order to avoid having everyone zone out, I will skip the details of how I investigated and just go to what I found.  Feel free to ask me about any part if you wish.

1. This page was SENT to the browser, in my specific case I was able to trace the event to a .onmouseclick -> http post get req sent -> SERVER fires back the evil RED window as a popup class.

2. Since some server somewhere was obviously hosting this garbage I decided to track them down and let them know.  Seemed like it would most be a compromised, otherwise respectable system, or a dedicated server somewhere that must be behind several proxy or other such barriers.  However, what I did find seemed like it was so amateur that I had to check more than once out of disbelief.   The RED WARNING page is pretty much a mishmash of 'borrowed' code and I could find had no potential for serious security threats.  Simply launch the task manager and terminate the process.  

Finally I called their name registrar to get the account banned (obvous violation of any TOS) but after 30 minutes on the phone and getting absolutely no where - "maybe you should contact microsoft" they say!

I gave up but here's all the info:

current 4/5/2018

Raw Whois Data

Domain Name: 0as24600974633008881.win Registry Domain ID: DB2937D67BE4F4EC382B482E73B278DD4-NSR Registrar WHOIS Server: whois.namecheap.com Registrar URL: http://www.namecheap.com Updated Date: 2018-03-15T19:55:01Z Creation Date: 2018-03-10T19:55:00Z Registry Expiry Date: 2019-03-10T19:55:00Z Registrar: NameCheap, Inc. Registrar IANA ID: 1068 Registrar Abuse Contact Email: @namecheap.com Registrar Abuse Contact Phone: +1.6613102107 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registry Registrant ID: C5706F34B73E34DA497BE7C3BDD87C749-NSR Registrant Name: WhoisGuard Protected Registrant Organization: WhoisGuard, Inc. Registrant Street: P.O. Box 0823-03411 Registrant Street: Registrant Street: Registrant City: Panama Registrant State/Province: Panama Registrant Postal Code: Registrant Country: PA Registrant Phone: +507.8365503 Registrant Phone Ext: Registrant Fax: +51.17057182 Registrant Fax Ext: Registrant Email: @whoisguard.com Registry Admin ID: CEEBAFAA23744492284FCDB4001746F13-NSR Admin Name: WhoisGuard Protected Admin Organization: WhoisGuard, Inc. Admin Street: P.O. Box 0823-03411 Admin Street: Admin Street: Admin City: Panama Admin State/Province: Panama Admin Postal Code: Admin Country: PA Admin Phone: +507.8365503 Admin Phone Ext: Admin Fax: +51.17057182 Admin Fax Ext: Admin Email: @whoisguard.com Registry Tech ID: C7BB945E34B0C499099169007F95CB235-NSR Tech Name: WhoisGuard Protected Tech Organization: WhoisGuard, Inc. Tech Street: P.O. Box 0823-03411 Tech Street: Tech Street: Tech City: Panama Tech State/Province: Panama Tech Postal Code: Tech Country: PA Tech Phone: +507.8365503 Tech Phone Ext: Tech Fax: +51.17057182 Tech Fax Ext: Tech Email: @whoisguard.com Name Server: c.dnspod.com Name Server: b.dnspod.com Name Server: a.dnspod.com DNSSEC: unsigned

_______________________________________________________________

namecheap.com is the host and domain provider, for now at least, as I'm sure they will move on soon.

Finally I was unable to recreate the situation, so I could get another red warning screen, so if anyone knows how to do this please let me know.

17 people found this reply helpful

·

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

We appreciate your efforts here DMacG. These Tech Support Scam pages have traditionally locked up browsers by looping a JavaScript modal alert (dialog loop), which prevents the focus from being returned to the browser – although many of the newer scam pages loop through multiple elements. We’re calling what you’re describing a “malware-site redirect”, meaning that the MSN news portal page (for example) is being redirected to a malware domain by a redirect that gets piped in through a compromised “advertising” channel (thus the term “malvertising”). I can see this most clearly by monitoring/blocking MSN’s domain connections with uBlock Origin.

But now we’re getting reports that uBlock Origin isn’t filtering out some of these fake Adobe Flash Player update pages (Trojan:JS/Flafisi.D), and I’m wondering if you can determine whether these redirects are in fact standard JavaScript redirects that could potentially be filtered with uBlock Origin’s script or frame filters. I’m out of my element here, and would appreciate any insight on the nature of these redirects, and any suggestions on how we should customize uBlock Origin in the event that the default domain/request blocking settings fail to block these malvertising “threats”.

I do understand that the threat from these Tech Support Scam pages is mostly just that unsuspecting users might be scammed. But what we’re seeing most often, at least on the MSN news portal, is the fake Adobe Flash Player update malvertising template – and the most recent analysis of the FlashPlayer.hta program indicates that it’s a complex double-downloader that could easily be adapted to any kind of payload, including ransomware:

https://www.proofpoint.com/us/threat-insight/post/kovter-group-malvertising-campaign-exposes-millions-potential-malware-and-fraud

So I’m personally convinced that any of the affected high-profile portals need to be cleaned up ASAP. There are just too many unsuspecting users out there, many of them on PCs with older OSs, weak AV apps, and no ad-blockers. A local moderator did try to escalate this issue directly to Microsoft, but to no avail. So unless some internet security analytics team suddenly picks up on this current campaign, the only way that we’ll ever be able to sound the alarm is by reporting the high-profile host sites themselves as “unsafe”, which is exactly what I’m doing at this point.

I’m afraid that the SmartScreen reporting system was designed strictly for reporting a single malicious domain – which is pointless with these malvertising attacks, because the malware page itself is continually being reassigned to a newly-registered domain. And since the SmartScreen filter doesn’t seem to be smart enough to associate the host domain with the malicious domain, it looks like reporting the host domain as “unsafe” will be the only possible way to flag this issue for site owners. This is actually pretty easy to do with most of these redirects (including the Tech Support Scam pages, from what I’ve seen). In Edge, click on Settings > Send Feedback > Report Unsafe Site to report the malware domain – and then just click the browser page-back arrow to return to the host page – and report as "unsafe":

https://answers.microsoft.com/en-us/protect/forum/protect_defender-protect_scanning-windows_10/windows-defender-vs-fraudulent-adobe-update/68c9bdad-94ef-4125-a265-53881ae8eee5

GreginMich

5 people found this reply helpful

·

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

I haven't had much time to do any real good research yet but since you were kind enough to give me such an informative reply I thought I would share what I did find so far.

I decided to do a little review of windows event logs (always such fun!) to see what, if any, events had been triggered.  I'm sure you already know that most browser activity is relatively segregated from the main OS for obvious reasons - so imagine my surprise to find out that there was a flurry of recorded events under 'Applications & Services ->Microsoft -> Windows -> Windows Defender -> Operational'

When the 'fraud page' was loaded by Chrome it created a small cache file as would be expected, but that cache file was immediately recognized by a component of Windows Defender which automatically uploaded it to microsoft AND didn't bother to notify me or even create a record in Defender itself.  Further even logs show that exactly 14 seconds after microsoft received my file it activated the Dynamic Signature Service to retrieve additional signatures, which it adds to the system "standard" library.  A total of 18 new signature updates were created and compiled, timestamped only 2 seconds before they were sent to me, all marked with a version number of 0.0.0.0.  Then it was all over.  

So, it would seem that microsoft is indeed at least interested in this issue.  Unfortunately I don't have access to anything more than this metadata because I would have to set up some targeted low level monitoring tools before the event took place. 

The real challenge for me right now is finding a way to intentionally cause another event.  Do you have any information on that?

Also, my comments regarding the "fraud page" being a total amateur piece of garbage was really meant to say that there appeared to be a mismatch between that and the sophistication of the 'attack'.  You are quite right that, while you or I may be hard targets, there are many other users that are at real risk.  I see a serious cause for concern here: as you pointed out the end user assumption that a high level domain such as msn.com is 'safe', add to that a more sophisticated (ie. perceived as legitimate) redirect  - NOT GOOD.

I would really like a chance to analyse the code involved to get a better idea of the mechanics involved before I were to speculate on an effective method for dealing with this issue.  I just don't know enough to say anything useful.

1 person found this reply helpful

·

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

As I've mentioned to Greg already, nothing that either of you have found is surprising, since Microsoft obviously knew about these attacks or their ability to head off the more directly malicious versions wouldn't exist.

The questions that DMacG has brought up relating to the ability to repeat the attack are precisely what interested me most, since I've not only not been bothered by these due to my use of ad blocking, but had still been unable to experience any even once I'd removed both this and several other security settings I'd thought might interfere.

That has made me even more interested in any indications as to why I might not encounter these and also why the apparent inability for Yahoo, Microsoft and other major websites to stop them completely.

The first question I'd already at least partially answered to my satisfaction, though I've found even more detailed information relating to the targeting of such campaigns that's far more revealing.  For example, though this following article is focused on attacks via Facebook, it's very interesting to see how the types of data Facebook has can be used to target such ads and also to protect them from those like us who might be attempting to investigate the campaigns.

https://www.bloomberg.com/news/features/2018-03-27/ad-scammers-need-suckers-and-facebook-helps-find-them

The most in depth technical discussion I've seen of both this and the reasons for the change from exploit kits to forced redirection are covered in the following article, which also discusses the 28 fake ad agencies they discovered being used to deliver malvertising campaigns in 2017.

Uncovering 2017’s Largest Malvertising Operation

So my own suspicion continues to be that Microsoft and Yahoo are fully aware of these campaigns and are simply using them to collect and collate the data required to identify and eventually involve law enforcement in the countries required in order to truly shut the perpetrators down for good.

As a side note DMacG, your thought that the "fraud page" was a total amateur piece of garbage, by which I assume you mean its badly worded and formatted appearance, is typically intentional.  That's done to serve as an additional filter to keep more intelligent individuals from ever responding via phone.  The reason is to avoid wasting the time of the often not highly capable telemarketing people initially answering the phone and operating via script.

Rob

< EDIT > As an aside, another suspicion I have relating to the targeting of these campaigns is that the articles being read may trend toward what might be considered conservative items.  This may just be a side effect of other more specific targeting, but I'd be curious if that's something either of you might confirm?

Also DMacG, the most dependable method to experience these popups is browsing the types of websites where you might expect to be attacked, such as the seedier portions of the net.  However, these are probably more related to other specific campaigns that were known to target these less reputable zones in the past and so wouldn't necessarily provide the same attack profile.

https://www.proofpoint.com/us/threat-insight/post/kovter-group-malvertising-campaign-exposes-millions-potential-malware-and-fraud

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Of course some of us no longer need to venture out into the hinterlands to study these malware-site redirects – because they’re being delivered to our doorstep every day right along with the morning news. So the first thing to try would be just opening an MSN news page and then waking away for 15 minutes. That’s usually enough for me.  

Important Warning!  Visiting the MSN news portal will be at your own risk, and these risks include, but are not limited to, being exposed to malware, Tech Support Scams, and crypto mining attacks.

I don’t have the time for stories or speculations, but I was happy to learn from the Confiant article that other people have also been focusing on these forced redirects, and I was frankly amazed to learn that Chrome had already implemented anti-redirect protection. So I’m guessing that a significant migration is already underway; and goodness knows how long it will take the Edge Team to figure this one out, and how long they’ll be playing catch-up. In the meantime though, maybe we can take a closer look at the nature of this forced redirect beast and see what configuration changes for uBlock Origin might be helpful in cases where the preconfigured domain/request blocking isn’t enough to prevent them.

https://blog.chromium.org/2017/11/expanding-user-protections-on-web.html

Looking a little deeper into the Confiant research confirmed my suspicions that these forced redirects are indeed essentially just simple JavaScript redirects, where  window.top.location = "http://whatever.com" can be set from a cross-domain advertising iframe:

https://blog.confiant.com/how-bad-ads-hijack-your-browser-with-one-simple-trick-712ad3590a13

So this made me wonder if uBlock Origin’s frame blocking option might be something to try in cases where the preconfigured domain/request blocking isn’t effective in preventing the malware-site redirects. And reading this uBlock Origin support document convinced me that I was probably on the right track:

https://github.com/gorhill/uBlock/wiki/Dynamic-filtering:-Benefits-of-blocking-3rd-party-iframe-tags

This document specifically refers to the Proofpoint analysis that I had already adopted as the “standard model” for these forced redirects to the fake Adobe Flash Player update page in my original thread on this malvertising issue:  

https://www.proofpoint.com/us/threat-insight/post/kovter-group-malvertising-campaign-exposes-millions-potential-malware-and-fraud

https://answers.microsoft.com/en-us/protect/forum/protect_defender-protect_scanning-windows_10/im-seeing-trojanjsflafisid-detections-and-tech/8fbe8eaf-1af0-4e76-9ab0-57828f631a5f

So I’m going to provisionally recommend the frame blocking option for add-on protection in cases where uBlock Origin doesn’t consistently block malicious redirects – but of course I'll still be anxious for any further information or suggestions that you can provide, DMacG.

GreginMich

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

At this point I agree with your conclusion, enforce a strict policy of block with an opt in whitelist.  If that is too much of a hassle for someone to deal with then I guess they can deal with the consequences also.

when you wrote:

Of course some of us no longer need to venture out into the hinterlands to study these malware-site redirects – because they’re being delivered to our doorstep every day right along with the morning news. So the first thing to try would be just opening an MSN news page and then waking away for 15 minutes. That’s usually enough for me.  

Important Warning!  Visiting the MSN news portal will be at your own risk, and these risks include, but are not limited to, being exposed to malware, Tech Support Scams, and crypto mining attacks.

Are you saying that simply leaving your browser open on that page will generate an event within such a short period of time?  I can't believe they aren't running around with a massive 'hair on fire' attempt to fix this.  Can you give me the URL just so I can be sure I am using the correct one.

This issue is intriguing, annoying, bizarre all in one.  Like a real mystery, where all the major characters are acting in suspicious ways.  I suspect there is still more to learn.

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Sometimes within a minute, DMacG – and it was “bad news” again as usual this morning:

 

But the evening news is much better, since Microsoft has just answered my original thread – and hopefully returned it to its intended purpose of reporting these malvertising incidents. So my question – which was really just “doesn’t anybody care” has now been answered with a resounding “YES”. And I feel like a party here – which of course for me is just pineapple upside-down cake and premium coffee. When I look at the domain connections now, everything is suddenly “green”, so it does look like they’ve cleaned things up. HOWEVER, my MSN news test page that was running in the background just now crashed the Edge browser, so I’m afraid you’re right about “more work to be done”. The page for that one was:

https://www.msn.com/en-us/news/politics/trump-blasts-the-fbi-and-doj-for-slow-walking-their-response-to-a-republican-subpoena/ar-AAvB95U?ocid=spartandhp 

It almost looks like we might be dealing with something similar to the code that Zirconium developed to bypass Chrome’s redirect blocker:

https://blog.confiant.com/zirconium-was-one-step-ahead-of-chromes-redirect-blocker-with-0-day-2d61802efd0d

GreginMich

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

* Please try a lower page number.

* Please enter only numbers.

* Please try a lower page number.

* Please enter only numbers.

 
 

Question Info


Last updated November 29, 2020 Views 26,289 Applies to: