The ‘Art’ of Fake Anti-Virus Software

Hi, everyone. I am very excited to announce that I recently joined McAfee Labs. As many of you know, I have spent more than 20 years doing anti-virus (AV) development and research. Needless to say, I am not happy to see the new developments in fake AV software.

Fake AV developments began only a few years ago, but rapidly evolved in their delivery mechanism. Cybercriminals hired talented attackers and developers to implement one of the largest fake AV attacks so far, involving millions of users using Google Image Search poisoning.

Recently, I searched for my own name on Google, looking for an old picture from a conference. To my surprise, a lot of strange pictures showed up on the top search page that were seemingly not related to my search.

I quickly realized that the bizarre pictures referenced hacked websites, which redirected my browser to yet another compromised machine in an attempt to deliver new variants of fake AV products for my Mac.

This attack is impressive in the manner in which it can trick the user. Through JavaScript, it makes Safari appear as if a fake scan is taking place in a search for “threats” while the actual window uses elements from Finder. (If you use IE, your browser will start to look like Windows Explorer and a similar fake AV scan takes place.)

At the same time, a download starts that delivers an installation package of the fake AV product MacDefender and its variants. Revisiting the site a day later, I saw a change in the package’s content, and further research revealed that the new version did not require an OS X password to start installation, as noticed a day earlier. I wondered how long it will take for the bad guys to run the whole installation via an exploit.

(Note: Safari’s option of “Open Safe Files After Downloading” needs to be enabled for the downloads to run, and JavaScript needs to be enabled, too. These are the default options. Disabling these options can help to mitigate the attack.)

How did the attackers get this far? Cybercriminals prepared this attack for several months, and implemented it in several stages.

Stage 1: The first step of the attack involved the discovery of FTP passwords for websites. Although the exact method for obtaining these credentials is unknown, FTP software often stores passwords in plain text, or in easily recoverable forms. Once the attackers collected enough FTP accounts for several hundred websites, they began the second stage of the attack. (This observation is based on reviews of FTP logs for logins and uploads on compromised sites.)

Stage 2: The attackers began uploading malicious PHP scripts to compromise the websites using FTP and the stolen passwords. These PHP scripts could create a lot of HTML content. A very sophisticated automation was used to identify top Google search keywords, and to combine them with Top Google Image Searches. The result is a ton of junk HTML, which reads like a junk blog, a section of text, and pictures linked from other websites.

Notice my name in the text. What a nice haiku!

“CAKE IMPROVES WITH A CHOCOLATE PETER SZOR FOR OCT, PAGE DOG THING HAS BEEN TIME, SO MAKETHE CHEESECAKE FACTORY CHOCOLATE ORANGE PECAN, THE CHEESECAKE AND ITEMS , REY AND OTHER COURSE RECIPES FOR CHOCOLATE CHEESECAKE LIKE THIS PHOTO ACTUAL COPYCAT RECIPE BON CHEESECAKEALAS”

The actual picture returned by Google for my search had a reference right above this text. The actual PHP attack script identifies that the page is visited via Google Image Search. This helps to hide the attack from the web master.

Stage 3: Because the generated pages have been linked into the actual content of the hacked website, Google’s robots start to index them. The generated HTML pages made sure that the robots would take them by identifying them as keywords. Also, they requested that the robots not cache the page’s content, making it harder to discover the compromised sites in bulk because easily searched cached content would not be available.

Stage 4: The attackers needed to wait. A lot of content has been generated on these hacked sites, thousands and thousands of HTML pages, with interesting pictures being referenced. The attackers requested Google to index the sites to make this a little faster. But they needed to be patient. Once the pictures were populated to Google Image Search, people started clicking on them, which also took some time. Eventually, many of these pictures ended up on the first page for selected keyword searches.

Stage 5: Once enough Google references were poisoned, the attackers started the distribution of fake AV products. When you visit the hacked sites from Windows, they distribute fake AV for Windows. A visit from Safari on the Mac delivers different flavors of fake AV for the Mac: complete packages or downloaders. Eventually these installations ask for credit card information. And to make sure that you believe that your machine is infected, they have a fully supported UI. In the background they bring up porn sites to scare you. The application installation references the fake AV from the login items, so whenever you log in the application will be launched again. The Mac packages contain “fat binaries,” which have both 32-bit and 64-bit executable content.

Each compromised website has a list of IP addresses that belong to compromised machines, or free domain registration services, which were registered by the attacker in advance. The malicious scripts planted on the hacked sites forward the Google Image Search requests to one of these addresses, which host malicious JavaScript to play tricks with the browser. Furthermore, the installation package is localized to English and Russian.

As I write this, Google is doing a great job of throwing out the bad references. Apple is also getting involved in the cleanup process, promising detection and remediation for the Mac variation of the attack.

At McAfee we are dedicated to delivering real-time protection against these attacks, as well as thousands of others, each day.