sophos what is fakeav wpna
Post on 06-Apr-2018
217 Views
Preview:
TRANSCRIPT
-
8/3/2019 Sophos What is Fakeav Wpna
1/37
May 2010A Sophos white paper
What is FakeAV?
FakeAV or Fake AntiVirus, also known as Rogue AntiVirus, Rogues, or ScareWare, is a
class o malware that displays alse alert messages to the victim concerning threats that
do not really exist. These alerts will prompt users to visit a website where they will be
asked to pay or these non-existent threats to be cleaned up. The FakeAV will continue to
send these annoying and intrusive alerts until a payment is made.
This paper provides insight into where FakeAV comes rom, what happens when a system
is inected with FakeAV, and how users can protect themselves rom FakeAV.
-
8/3/2019 Sophos What is Fakeav Wpna
2/37
1
What is FakeAV?A Sophos white paper
Introduction
FakeAV or Fake AntiVirus, also known as Rogue AntiVirus, Rogues, or ScareWare, is a class o malware
that displays alse alert messages to the victim concerning threats that do not really exist. These alerts will
prompt users to visit a website where they will be asked to pay or these non-existent threats to be cleaned
up. The FakeAV will continue to send these annoying and intrusive alerts until a payment is made.
This paper provides insight into where FakeAV comes rom, what happens when a system is inected with
FakeAV, and how users can protect themselves rom FakeAV.
During the last year, the number o FakeAV executables has grown enormously. SophosLabs has seen the
quantity o unique variants grow rom less than 1,000 to well over hal a million. This huge rise in popularity
among malware writers is primarily due to the direct revenue source that FakeAV provides. Compared to other
classes o malware such as bots, backdoor Trojans, downloaders and password stealers, FakeAV draws the
victim into handing money over directly to the malware author. FakeAV is also associated with a thriving aliate
network community that makes large amounts o money by driving trac toward the stores o their partners. 1
Typical signs o inection
FakeAV usually uses a large array o social engineering techniques to get itsel installed. Campaigns have included:
Fake Windows Security Updates2
Fake Virus-Total pages3
Fake Facebook app4
9/11 scams5
Once on a system, there are many common themes in its behavior:
Popup warningsMany FakeAV amilies will display popup messages in the taskbar:
What is FakeAV?
Fig.1
Fig.2
Fig.3
Fig.4
-
8/3/2019 Sophos What is Fakeav Wpna
3/37
2
What is FakeAV?A Sophos white paper
Fake scanningThe FakeAV will typically pretend to scan the computer and fnd non-existent threats, sometimescreating fles ull o junk that will then be detected6:
FakeAV uses an enormous range o convincing names to add to the illusion o legitimacy, such as:
AntiSpyWarePro
Antivirus Plus
Antivirus Sot
Antivirus XP
Internet Security 2010 Malware Deense Security Central
Security Tool Winweb Security XP Antivirus Digital Protector XP Deender
CleanUp AntiVirus
There can be many thousands o variants or each amily as techniques such as server-side polymorphism are
used heavily to alter the FakeAV executable. This is a process whereby the executable is re-packaged ofine
and a dierent le is delivered when a download request is made. This can happen many times during a
24-hour period. One particular amily that calls itsel Security Tool7 has been known to produce a dierent
le nearly every minute. This is how a single amily can have such large numbers o samples.
Many amilies will also share a common code base underneath the polymorphic packer, where the application
is simply re-skinned with a dierent look and eel but the behavior remains the same.
Fig.5 Fig.6 Fig.7
-
8/3/2019 Sophos What is Fakeav Wpna
4/37
3
What is FakeAV?A Sophos white paper
Inection vectors
How do people get inected with FakeAV?
Although there are many dierent ways that a specic FakeAV may get onto a system, the majority o
distribution avenues rely on social engineering. Ultimately, the user is tricked into running the FakeAV
installer executable in a way similar to many other types o Trojans. FakeAV authors have used a huge range
o dierent social engineering tricks and are continuing to come up with new ones all the time.
In this paper, we review several main sources of FakeAV infection:
Search engine optimization poisoning
Email spam campaigns
Compromised websites and exploit payloads FakeAV downloads by other malware
Search engine optimization poisoning
A very common source o FakeAV inection is ollowing results received rom popular search engines while
searching or topical terms. FakeAV authors ensure that links leading to FakeAV download sites will eature
prominently in search results by using blackhat SEO techniques.8 These poisoned results will redirect users
to a FakeAV-controlled website that displays a ake scanning page, inorming them that their computer is
inected and they must download a program to clean it up. Alternatively, a ake movie download page may be
displayed, where users are prompted to download a codec in order to view the movie. This codec is in act a
FakeAV installer.
Google Trends9 is a service provided by Google that highlights popular search terms entered into its searchengine. Here is an example o how search terms taken rom Google Trends are poisoned by FakeAV authors.
Lets do a search over the last 24 hours or pages containing terms rom Hot Searches:
Fig.8
-
8/3/2019 Sophos What is Fakeav Wpna
5/37
4
What is FakeAV?A Sophos white paper
Picking several o the terms and perorming a search or them will produce several poisoned results:
Clicking on these links takes users to a ake scanning page, where they are told they have multiple inections
and need to download a program to remove the threats:
Fig.9
Fig.10
Fig.11
Fig.12
-
8/3/2019 Sophos What is Fakeav Wpna
6/37
5
What is FakeAV?A Sophos white paper
Or, users are taken to a ake movie download page where they are told they need to download a codec to
view the movie:
In each case, users are tricked into downloading and running an unknown executable, which is the FakeAV installer.
Spam campaigns
FakeAV is oten sent directly to the victim as an attachment or as a link in a spam message. The message
is predominantly sent through email, but other orms o spam have also been observed to deliver FakeAV,
such as instant messaging applications including Google Talk.10 The spam message itsel usually uses social
engineering techniques to trick users into running the attached le or clicking on the link. Specic campaigns
vary and include password reset, ailed delivery message and You have received an ecard scams.
Examples o email spam campaigns spreading FakeAV include:
Account suspension scams: Victims receive an email message suggesting access to a specifc accounthas been terminated and they need to run the attached fle to fx the issue.
Ecard scams: An email is received purporting to be rom a legitimate ecard company. In act, a FakeAVinstaller is attached.
Fig.13 Fig.14
Fig.15
Fig.16
-
8/3/2019 Sophos What is Fakeav Wpna
7/37
6
What is FakeAV?A Sophos white paper
Password reset scams: Victims receive a message supposedly rom a popular website, inorming themthat their password has been reset and the new one is in the attached fle.
Package delivery scam: Details o a (fctitious) recent postal delivery are included in an attached fle. Inreality, the attachment will install FakeAV.
Compromised websites and exploit payloads
Users can sometimes be sent to FakeAV websites by browsing legitimate websites that have been
compromised, where malicious code has been injected into the page. This can be achieved by penetrating
the target websites hosting server and appending (typically) JavaScript to HTML pages hosted there. This
redirect code can be used to send the browser to any type o malware hosting page including exploit kits and
FakeAV. This JavaScript code is almost always heavily obuscated, and Sophos detects this type o malware
as variants o Troj/JSRedir.11
SophosLabs has also seen hackers compromise legitimate web-based advertising eeds to ensure that
malicious code is loaded instead. This may take the orm o an exploit that downloads and executes a
FakeAV binary as the payload or a simple irame that redirects the browser to a FakeAV web page.12,13
FakeAV downloads by other malware
FakeAV can be downloaded onto a machine by other types o malware. SophosLabs maintains many
honeypot machines that are seeded with dierent malware, in order to observe their behavior and ensure
protection is maintained when new variants are downloaded. We have seen several amilies install FakeAVonto an inected machine, most notably TDSS, Virtumundo and Waled.14 The inamous Concker worm was
also observed to install FakeAV onto inected computers.15 In this way, a hacker that has inected a computer
with TDSS or Virtumundo can extract more money rom victims by orcing them to pay or FakeAV.
Fig.17
Fig.18
-
8/3/2019 Sophos What is Fakeav Wpna
8/37
7
What is FakeAV?A Sophos white paper
FakeAV amilies
We now explain in more detail the behavior o FakeAV once it has made its way onto a target system.
Registry installation
FakeAVs typical behavior is to copy the installer to another location on the system and create a registry entry
that will run the executable on system startup.
The installer is oten copied into the users prole area (e.g., C:\Documents and Settings\\Local
Settings\Application Data), or into the temporary les area (e.g., c:\windows\temp) with a randomly
generated le name. This makes the FakeAV UAC-compliant on Windows machines that have UAC16
enabled, thus avoiding a UAC warning popping up during installation. However, some amilies still do notcare about UAC and still create their les in the Program Files or Windows olders.
A run key entry is then created in the registry that will run the le when the system starts up. Typically, this
will be added to one o the ollowing:
HKCU\Sotware\Microsot\Windows\CurrentVersion\RunOnce HKCU\Sotware\Microsot\Windows\CurrentVersion\Run HKLM\Sotware\Microsot\Windows\CurrentVersion\Run
Examples:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
wpkarufv
c:\documents and settings\\local settings\application data\tqaxywicl\chgutertssd.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
CUA
c:\windows\temp\sample.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
85357230
c:\documents and settings\all users\application data\85357230\85357230.exe
-
8/3/2019 Sophos What is Fakeav Wpna
9/37
8
What is FakeAV?A Sophos white paper
Initiate a ake scan
Once FakeAV is installed, it will usually attempt to contact a remote website over HTTP and will oten
download the main component. This will initiate a ake system scan, where many non-existent threats will
be discovered. The main FakeAV window is oten very proessionally created and victims can easily be
convinced that they are using a genuine security product. Here are several examples:
Fig.19 Fig.20
Fig.21Fig.22
Fig.23
-
8/3/2019 Sophos What is Fakeav Wpna
10/37
9
What is FakeAV?A Sophos white paper
Once the ake threats have been discovered, users are told they must register or activate the product in order
to clean up the threats. Users are taken to a registration website (either through a browser or through the
FakeAV application), where they are asked to enter their credit card number and other registration details.
These pages are also very convincing, occasionally eaturing illegal use o logos and trademarks rom
industry-recognized organizations such as Virus Bulletin17 and West Coast Labs18:
This example raudulently uses logos rom West Coast Labs and Virus Bulletin:
Fig.24
Fig.25
Fig.26
Fig.27Fig.28
-
8/3/2019 Sophos What is Fakeav Wpna
11/37
10
What is FakeAV?A Sophos white paper
Other FakeAV behavior
Certain FakeAV amilies cause urther distress to the victim by interering with normal system activity.
Commonly, this includes disabling the Task Manager and use o the Registry Editor, prohibiting certain
processes rom running and even redirecting web requests. This behavior urther convinces the user that
there is a problem on the system and increases the likelihood o a purchase being made. This extra activity
can take the orm o:
Process termination: Certain programs are prohibited rom running by the FakeAV, with a warningmessage being displayed instead.
The FakeAV will generally allow Explorer and Internet Explorer to run, so renaming an executable as explorer.
exe or iexplore.exe should allow it to be run.
Web page redirection: Some FakeAV amilies will redirect web requests or legitimate web sites to anerror message or other type o warning message. This adds to the users ear and, again, makes theuser more likely to pay or the FakeAV.
Installation o more malware: FakeAV has been known to download other types o malware uponinstallation, such as banking Trojans, rootkits and spam bots.
Fig.29
Fig.30
Fig.31
-
8/3/2019 Sophos What is Fakeav Wpna
12/37
11
What is FakeAV?A Sophos white paper
Prevention and protection
The most eective deense against the FakeAV threat is a comprehensive, layered security solution. Detection
can and should take place at each stage o the inection:
URL fltering: By blocking the domains and URLs rom which FakeAV is downloaded, the inection canbe prevented rom ever happening. Sophos customers are protected by URL fltering in Sophos WebSecurity and Control19 and the latest endpoint security product.
Detection o web-based content: This includes detection o the JavaScript and HTML used on FakeAVand ake codec web pages. Detection at this layer prevents the FakeAV binary rom being downloaded(e.g., Mal/FakeAvJs, Mal/VidHtml).
Proactive detection o the FakeAV binary: Using Behavioral Genotype technology, many thousands o
FakeAV binaries can be detected with a single identity. The number o samples currently detected asvariants o Mal/FakeAV and Mal/FakeAle is well in excess o hal a million.
Run-time detection: I a FakeAV executable manages to evade the other layers o protection, SophossHost Intrusion Prevention System (HIPS) can detect and block the behavior o the FakeAV sample whenit tries to execute on the system.20 HIPS includes rules that specifcally target FakeAV.
Spam blocking: Sophos Email Security and Data Protection blocks spam containing FakeAV beore auser even sees it.21
Conclusion
FakeAV is a prevalent and rapidly growing threat. The direct nancial benet gained rom FakeAV means that
it will not go away; in act, it will likely become even more widespread.
FakeAV is already distributed through a large number o sources. The variety and inventiveness o its
distribution will only increase.
Fortunately, users can protect themselves through a comprehensive and layered security solution that detects
and deends against FakeAV at every possible level.
-
8/3/2019 Sophos What is Fakeav Wpna
13/37
12
What is FakeAV?A Sophos white paper
Reerences
1 The Partnerka What is it, and why should you care?Sophos technical paper, http://www.sophos.com/security/technical-papers/samosseiko-vb2009-paper.html
2 FakeAV Uses False Microsot Security UpdatesSophosLabs blog, http://www.sophos.com/blogs/sophoslabs/?p=8564
3 Free FakeAV at Virus-Total (Thats not VirusTotal)SophosLabs blog, http://www.sophos.com/blogs/sophoslabs/?p=8885
4 Phantom app risk used to bait scareware trapThe Register, http://www.theregister.co.uk/2010/01/27/acebook_scareware_scam
5 Scareware scammers exploit 9/11Sophos blog, http://www.sophos.com/blogs/gc/g/2009/09/11/scareware-scammers-exploit-911
6 FakeAV Generates Own Fake MalwareSophosLabs blog, http://www.sophos.com/blogs/sophoslabs/?p=6377
7 Mal/FakeVirPk-ASophos security analysis, http://www.sophos.com/security/analyses/viruses-and-spyware/malakevirpka.html
8 Poisoned search results: How hackers have automated search engine poisoning attacks to distribute malwareSophosLabs technical paper, http://www.sophos.com/sophos/docs/eng/papers/sophos-seo-insights.pd
9 Google Trendshttp://www.google.com/trends
10 Google Talk used to distribute Fake AVSophos blog, http://www.sophos.com/blogs/chetw/g/2010/03/20/google-talk-distribute-ake-av/
11 More ake AV SEO poisoningSophosLabs blog, http://www.sophos.com/blogs/sophoslabs/?p=6765
12 New York Times pwned to serve scareware pop-upsThe Register, http://www.theregister.co.uk/2009/09/14/nyt_scareware_ad_hack/
13 Scareware Traversing the World via a Web App ExploitSANS Institute InoSec Reading Room, http://www.sans.org/reading_room/whitepapers/incident/scareware-traversing-world-web-
app-exploit_33333
14 Mal/TDSS-ASophos security analysis, http://www.sophos.com/security/analyses/viruses-and-spyware/maltdssa.html
Troj/Virtum-Gen
Sophos security analysis, http://www.sophos.com/security/analyses/viruses-and-spyware/trojvirtumgen.html
Mal/WaledPak-A
Sophos security analysis, http://www.sophos.com/security/analyses/viruses-and-spyware/malwaledpaka.html
15 Confcker zombies celebrate activation anniversaryThe Register, http://www.theregister.co.uk/2010/04/01/confcker_anniversary/
16 User Account Control Step-by-Step GuideMicrosot TechNet, http://technet.microsot.com/en-us/library/cc709691(WS.10).aspx
17 Virus Bulletinhttp://www.virusbtn.com/
18 West Coast Labshttp://www.westcoastlabs.com/
19 Sophos Web Security and Controlhttp://www.sophos.com/products/enterprise/web/security-and-control/
20 Sophos HIPShttp://www.sophos.com/security/sophoslabs/sophos-hips/index.html
21 Sophos Email Security and Data Protection
http://www.sophos.com/products/enterprise/email/security-and-control/
-
8/3/2019 Sophos What is Fakeav Wpna
14/37
13
What is FakeAV?A Sophos white paper
Screenshot appendix
Fig.1
Fig.2
Fig.3
-
8/3/2019 Sophos What is Fakeav Wpna
15/37
14
What is FakeAV?A Sophos white paper
Fig.4
-
8/3/2019 Sophos What is Fakeav Wpna
16/37
15
What is FakeAV?A Sophos white paper
Fig.5
-
8/3/2019 Sophos What is Fakeav Wpna
17/37
16
What is FakeAV?A Sophos white paper
Fig.6
-
8/3/2019 Sophos What is Fakeav Wpna
18/37
17
What is FakeAV?A Sophos white paper
Fig.7
Fig.8
-
8/3/2019 Sophos What is Fakeav Wpna
19/37
18
What is FakeAV?A Sophos white paper
Fig.9
-
8/3/2019 Sophos What is Fakeav Wpna
20/37
19
What is FakeAV?A Sophos white paper
Fig.10
-
8/3/2019 Sophos What is Fakeav Wpna
21/37
20
What is FakeAV?A Sophos white paper
Fig.11
-
8/3/2019 Sophos What is Fakeav Wpna
22/37
21
What is FakeAV?A Sophos white paper
Fig.12
-
8/3/2019 Sophos What is Fakeav Wpna
23/37
22
What is FakeAV?A Sophos white paper
Fig.13
-
8/3/2019 Sophos What is Fakeav Wpna
24/37
23
What is FakeAV?A Sophos white paper
Fig.14
Fig.15
-
8/3/2019 Sophos What is Fakeav Wpna
25/37
24
What is FakeAV?A Sophos white paper
Fig.16
Fig.17
Fig.18
-
8/3/2019 Sophos What is Fakeav Wpna
26/37
25
What is FakeAV?A Sophos white paper
Fig.19
-
8/3/2019 Sophos What is Fakeav Wpna
27/37
26
What is FakeAV?A Sophos white paper
Fig.20
-
8/3/2019 Sophos What is Fakeav Wpna
28/37
27
What is FakeAV?A Sophos white paper
Fig.21
-
8/3/2019 Sophos What is Fakeav Wpna
29/37
28
What is FakeAV?A Sophos white paper
Fig.22
-
8/3/2019 Sophos What is Fakeav Wpna
30/37
29
What is FakeAV?A Sophos white paper
Fig.23
-
8/3/2019 Sophos What is Fakeav Wpna
31/37
30
What is FakeAV?A Sophos white paper
Fig.24
-
8/3/2019 Sophos What is Fakeav Wpna
32/37
31
What is FakeAV?A Sophos white paper
Fig.25
-
8/3/2019 Sophos What is Fakeav Wpna
33/37
32
What is FakeAV?A Sophos white paper
Fig.26
-
8/3/2019 Sophos What is Fakeav Wpna
34/37
33
What is FakeAV?A Sophos white paper
Fig.27
-
8/3/2019 Sophos What is Fakeav Wpna
35/37
34
What is FakeAV?A Sophos white paper
Fig.28
Fig.29
-
8/3/2019 Sophos What is Fakeav Wpna
36/37
35
What is FakeAV?A Sophos white paper
Fig.30
Fig.31
-
8/3/2019 Sophos What is Fakeav Wpna
37/37
What is FakeAV?A Sophos white paper
All i t d t d k d i ht d t d d i d b S h
Boston, USA | Oxord, UK
Copyright 2010. Sophos Plc
top related