An analysis of the malware, provided by BitDefender, explains how victims are asked to click on a link that takes them to a fake Google Chrome Extensions page offering them a download.
"Although the sham application has the same description is that of an original Google Chrome Extension, the first sign the more inquisitive users will get about it not being what they were looking for should be the fact that instead of the expected ".crx" extension, it features a flamboyant ".exe" tail, said Daniel Chipiristeanu, a virus researcher working at BitDefender.
The malware, identified by the company as Trojan.Agent.20577, changes the Windows hosts file, redirecting user access to the Google and Yahoo search pages. The redirection takes them to fake search pages that deliver results pointing to sites offering drive-by download malware.
Google has done its best to secure its Chrome browser by developing sandbox operation as an architectural feature from the ground up. However, the company is unable to guarantee the security of its plug-in technology, because plug-ins are developed by third parties. Plug-ins cannot be sandboxed in the same way that the rendering engine can, and attempts to do so have caused compatibility problems in the parts, according to Brian Rakowski, director of product management for Chrome, at Google.
Although Google Chrome still has a relatively small share of the browser market, it is obviously generating enough interest to get malware distributors interested in using the product as a social engineering vector for the distribution of malware tools. They clearly chose to develop a fake extension, rather than a real one containing malicious code, because operating outside of Google's ecosystem makes it harder for the company to block access to the malicious code.