What a fake antivirus attack on a trusted website looks like

Invincea

Malware that masquerades as legitimate antivirus programs is one of the more insidious threats to plague people browsing websites. In many cases, attackers rely on simple text and graphics to trick visitors into thinking they're on the verge of a successful drive-by attack and deliver the warning under the guise of a trusted security application. People who fall for the ruse by following the advice presented in the advisory end up infecting themselves.

A recently captured video of one of these attacks in progress demonstrates why they continue to work—at least on less-experienced users who, despite their lack of savvy, know enough to be wary of online attacks. Shortly after visiting a legitimate site, the computer presents a window carrying the name of a well-known security application, in this case Microsoft Security Essentials. The window provides a plausible warning and recommends the user take immediate action to head off imminent infection. The video was shot by researchers from security firm Invincea as they browsed to the main page of Dailymotion.com.

As convincing as the attacks are to some, the video makes clear that these scams aren't usually hard to spot by people with a small amount of training. Malware warnings, for instance, should never require a user to install an executable file, as the warning in the video does. Legitimate malware warnings will also never be delivered in a browser window and should be generated only by anti-malware programs already installed. When in doubt, users who receive malware warnings should close the browser altogether and see if the pop-up window persists. Opening an antivirus program from the Windows start menu and running a scan from there is also a good move.

Read 2 remaining paragraphs | Comments

‘System Progressive Protection’ Another Form of Fake AV

System Progressive Protection, a new malware pretending to be antivirus software, first appeared a couple of days ago. It belongs to the Winwebsec family of rogue security products. The malware is distributed by drive-by downloads or is dropped and executed by another malware. It blocks its victims from accessing any other application on an infected machine. It claims to detect infections, and displays alerts to scare users into purchasing protection. These rogue malware extort money from PC owners to “fix” their systems. In reality, this program doesn’t scan your computer at all.

Once the “scan” is complete, System Progressive Protection scares its victims by reporting some applications infected by malware. The malware also connects to IP address 112.121.178.189 through port 1214. The victim cannot run any applications at this point. The malware claims all applications are infected by some malware.

When the victim attempts to activate System Progressive Protection, a web page opens and asks for an online payment.

The malware tells its victims to enter the activation code.


After victims enter the activation code, they can again use their applications, but the fake AV still remains on the machine.

After registering, victims see a message that all the infections have been cleaned. They also get an Internet shortcut file to System Progressive Protection support.

This web page appears to offer a user guide, support, and FAQ.

The malware writes a new file (compressed with PECompact) in memory and executes it.

The encrypted data is taken from .rsrc section.

Files dropped on the victim’s machine after infection:

  • %Desktopdir%\System Progressive Protection.lnk
  • %Programs%\System Progressive Protection\System Progressive Protection.lnk
  • %AppData%\[random]\[random].exe

Registry entries to be removed:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce “[SET OF RANDOM CHARACTERS]“
  • HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Uninstall\System Progressive Protection\

Removing this rogue AV is comparatively easy. Dropped files and registry entries must be deleted. The malware blocks many of the victims’ applications but not Internet Explorer. They can still get online to seek help from antimalware websites:

 

Advice to Customers

Keep your systems updated with the latest patches. Ensure your antimalware protection is up to date. Use a reputable firewall. Beware of drive-by downloads when visiting any new websites.

‘Win 8 Security System’ Another Fake-Antivirus Malware

We discovered another fake antivirus/antimalware tool late in August. The “Windows 8 Security system” claims to detect infections, and displays alerts to scare users into purchasing protection. The real infection, of course, is the Win 8 Security System itself. It’s no surprise that developers of rogue antivirus software are playing up the connection to Windows 8, which Microsoft plans to release at the end of October.

Win 8 Security System is quite similar to fake AV product Windows Ultra-Antivirus and is extremely aggressive and hard to remove. A victim’s system gets infected with Win 8 Security System after visiting an infected website. Recent exploits teach us it is easy to fall victim to rogue software like Win 8 Security System, which extort money from PC owners to “fix” their systems. McAfee Labs recommends disabling Java in your browsers and running your antimalware software with real-time protection enabled. You should also be careful with downloading files from torrents or clicking on email and chat links.

Win 8 Security System will display lots of fake alerts and messages and will show a scan window on each system boot. It will display lots of detections, though it is obvious these are fake.

Win 8 Security System alerts at the Task Bar look like this:

Even though the rogue malware will make sure that your system is compromised–so that you cannot detect and remove the infection–you should be careful of all fake security alerts and fake computer scanner reports.

It is not easy to remove Win 8 Security System. To protect its files, it comes with a rootkit, which is present in: %System%\drivers\[random2].sys, with “random2″ the filename of the rootkit, for example, %System%\drivers\142da10e6b8dcd07.sys.

 

The malware creates the following registry elements:

  • HKLM\SOFTWARE\Microsoft\Direct3D\MostRecentApplication
  • HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212
  • HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_A7042B1
  • HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_A7042B1000
  • HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_A7042B1000\Control
  • HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_FEC477ED59233A7A
  • HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_FEC477ED59233A7A000
  • HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_FEC477ED59233A7A000\Control
  • HKLM\SYSTEM\ControlSet001\Services\fec477ed59233a7a
  • HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_A7042B1
  • HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_A7042B1000
  • HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_A7042B1000\Control
  • HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FEC477ED59233A7A
  • HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FEC477ED59233A7A000
  • HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FEC477ED59233A7A000\Control
  • HKLM\SYSTEM\CurrentControlSet\Services\fec477ed59233a7a
  • HKLM\SYSTEM\ControlSet002\Services\Abiosdsk\Tag: 0×00000003
  • HKLM\SYSTEM\ControlSet002\Services\Abiosdsk\Type: 0×00000001
  • HKLM\SYSTEM\ControlSet002\Control\CurrentUser: “USERNAME”
  • HKLM\SYSTEM\ControlSet002\Control\WaitToKillServiceTimeout: “20000″
  • HKLM\SYSTEM\ControlSet002\Services\NtmsSvc\Parameters\ServiceDll: “%SystemRoot%\system32\ntmssvc.dll”
  • HKLM\SYSTEM\ControlSet002\Services\NtmsSvc\Parameters\ShutdownTimeout: 0×0000753

———————————-
Values added
———————————-
HKLM\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name: “ec86da9ac566d59f.exe”
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_A7042B1000\Control\*NewlyCreated*: 0×00000000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_A7042B1000\Control\ActiveService: “a7042b1″
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_A7042B1000\Service: “a7042b1″
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_A7042B1000\Legacy: 0×00000001
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_A7042B1000\ConfigFlags: 0×00000000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_A7042B1000\Class: “LegacyDriver”
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_A7042B1000\ClassGUID: “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_A7042B1000\DeviceDesc: “ec86da9ac566d59f.exe”
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_A7042B1\NextInstance: 0×00000001
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_FEC477ED59233A7A000\Control\*NewlyCreated*: 0×00000000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_FEC477ED59233A7A000\Control\ActiveService: “fec477ed59233a7a”
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_FEC477ED59233A7A000\Service: “fec477ed59233a7a”
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_FEC477ED59233A7A000\Legacy: 0×00000001
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_FEC477ED59233A7A000\ConfigFlags: 0×00000000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_FEC477ED59233A7A000\Class: “LegacyDriver”
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_FEC477ED59233A7A000\ClassGUID: “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_FEC477ED59233A7A000\DeviceDesc: “ec86da9ac566d59f.exe”
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_FEC477ED59233A7A\NextInstance: 0×00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_A7042B1000\Control\*NewlyCreated*: 0×00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_A7042B1000\Control\ActiveService: “a7042b1″
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_A7042B1000\Service: “a7042b1″
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_A7042B1000\Legacy: 0×00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_A7042B1000\ConfigFlags: 0×00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_A7042B1000\Class: “LegacyDriver”
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_A7042B1000\ClassGUID: “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_A7042B1000\DeviceDesc: “ec86da9ac566d59f.exe”
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_A7042B1\NextInstance: 0×00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FEC477ED59233A7A000\Control\*NewlyCreated*: 0×00000000

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FEC477ED59233A7A000\Control\ActiveService: “fec477ed59233a7a”
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FEC477ED59233A7A000\Service: “fec477ed59233a7a”
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FEC477ED59233A7A000\Legacy: 0×00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FEC477ED59233A7A000\ConfigFlags: 0×00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FEC477ED59233A7A000\Class: “LegacyDriver”
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FEC477ED59233A7A000\ClassGUID: “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FEC477ED59233A7A000\DeviceDesc: “ec86da9ac566d59f.exe”
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FEC477ED59233A7A\NextInstance: 0×00000001
———————————-
Files added
———————————-
C:\Documents and Settings\XXXXX\Desktop\Buy Win 8 Security System.lnk
C:\Documents and Settings\XXXXX\Desktop\Copy of 495140948.exe
C:\Documents and Settings\XXXXX\Local Settings\Application Data\ec86da9ac566d59f.exe
C:\Documents and Settings\XXXXX\Start Menu\Programs\Win 8 Security System\Buy Win 8 Security System.lnk
C:\Documents and Settings\XXXXX\Start Menu\Programs\Win 8 Security System\Launch Win 8 Security System.lnk
C:\WINDOWS\system32\drivers\fec477ed59233a7a.sys
———————————-
Folders added
———————————-
C:\Documents and Settings\XXXXX\Start Menu\Programs\Win 8 Security System

 

Although it is possible to manually remove Win 8 Security System, you can permanently damage your system if you make any mistakes in the process; advanced spyware parasites can often automatically repair themselves if they are not completely removed. Thus, we recommend manual spyware removal only for experienced users, such as IT specialists or highly qualified system administrators. For other users, we recommend your desktop security software. McAfee identifies and deletes this infection as “Win 8 Security System.”

The Win 8 Security System is typical rogue, or fake, antivirus software. After infecting a user’s system, this malware scares its victim into buying the “product” by displaying fake security messages, stating that the computer is infected with spyware or other malware and only this product can remove it after you download the trial version. As soon as the victim downloads Win 8 Security System, it pretends to scan your computer and shows a grossly exaggerated amount of nonexistent threats. Then, Win 8 Security System recommends the victim buy the full version to fix these false errors. If the user agrees, Win 8 Security System not only “fixes” the errors, but it also takes the user’s money and may even install additional spyware onto the victim’s computer.

Thanks to my colleague Niranjan Jayanand for the sample.

Ransomware Can Strike Anywhere

This past weekend, various postgraduate students in France ended their academic year by making final modifications in their theses.

On Sunday, I assisted some of them. While browsing the Internet for some last-minute data, they suffered the fright of their lives: the sudden closing of their Microsoft Word software–without prompting to save their data–no more Internet access, the inability to reopen any application, and a series of pop-up windows warning of a malware infection and asking for a payment (US$89.95) to remove the threat and restore their systems.

In this case the students had searched for some Facebook statistics to finalize their studies and joined a WordPress blog, which would never be suspect but was infected with “ransomware”–fake-alert malware that pretends to be security software and requires a “subscription” to clean the system.

A half-hour later, I was able to locate the copies of their unsaved precious documents (*.asd files in the C:\Users\[Username]\AppData\Roaming\Microsoft\Word\) and to recover them on a clean computer. The disaster averted, I restarted the infected computers in Safe Mode, cleaned the registries, and extracted the malicious file for my own use.

I discovered the malware has been detected and cleaned as FakeAlert-SecurityTool.er with our most recent DAT files.

I share this story to remind you that malware does not happen only to others. Three students almost lost the culmination to their scholastic efforts. In other circumstances, the situation could have perhaps escalated to more critical results. Individuals making scareware and ransomware prey on the fear of their victims to extort money. Malware researchers are doing their part; we will be satisfied only when these crooks end up behind bars.