Your PC is infected

2009-04-01

Gabor Szappanos

VirusBuster, Hungary
Editor: Helen Martin

Abstract

Rogue anti-malware applications have been around for several years, conning and causing confusion among users as well as posing problems for anti‑malware vendors. Gabor Szappanos takes a look at a piece of anti‑virus scamware.


In an article in the January issue of Virus Bulletin [1] I described the threats faced by an average user. One of the most significant of them was the infamous FakeAlert trojan, which is distributed via spam messages and which causes bogus malware warnings in association with rogue security software.

Meanwhile, rogue anti-virus applications and their related malware also posed one of the most significant problems for VirusBuster’s virus lab during the latter half of 2008.

A rose by any other name

Rogue anti-virus applications, or scamware, have been around for some years now. Early instances have already been discussed in detail [2].

Authors of scamware have been very creative in selecting plausible-sounding names for their fake products. Figure 1 displays a list of some of them. One of these, ‘VirusBurst’, proved to be especially problematic for VirusBuster: many customers confused it with our product, and we had to explain time after time that it was not our product that kept popping up asking them for money.

Plausible-sounding names for scamware – is your anti-virus in this list?

Figure 1. Plausible-sounding names for scamware – is your anti-virus in this list? [3]

Another well-known example (at least in Hungary) was an application known as ‘Furko Antivirus’ (Figure 2). It had the same characteristics as contemporary scamware variants:

  • A ‘free’ version of the application was downloadable (even from popular download repositories).

  • It claimed to find a couple of virus samples (on a clean system) in files which did not even exist on the machine.

  • It claimed that, for a $19.95 fee, the full version of the program could be downloaded and would remove the threats it had just identified.

    Figure 2: Precursor of contemporary scamware products.

    Figure 2. Figure 2: Precursor of contemporary scamware products.

It took quite some time for the unsuspecting Hungarian public to realize that there was no real product behind ‘Furko Antivirus’. Our first encounter with the application was in 2005 (although we had heard of its existence prior to that), and only in 2006 did the Hungarian media grasp hold of the fact that it was a scam.

Infiltration

The user’s first encounter with this threat often comes via an email message which contains a download link to the first-stage executable. We have also seen cases of FakeAlert downloader scripts having been injected into non-malicious websites.

In the following sections I will describe the chain of events that occurs following receipt of a FakeAlert variant seeded via email. (The sequence of events may vary from case to case; steps may differ as the contents of download links change.)

Initial trigger: spammed email

As discussed in more detail in [1], the initial vector of this trojan arrives in an email message, typically disguised as an advertisement for pornographic content (Figure 3). The message contains a small amount of text and a hyperlink.

The bait.

Figure 3. The bait.

Clicking on the link leads to a web page displaying the common codec error message and offering the user the opportunity to download an update (Figure 4). This primitive form of social engineering appears to be sufficient for the trojan’s needs – the websites are equipped to host code distribution kits such as Mpack, but it seems it has not proved necessary to bring in the heavy artillery.

The hook.

Figure 4. The hook.

On clicking on the ‘Continue’ button the fake codec is downloaded as view.exe. Once the executable has been downloaded, it deploys an arsenal of psychological warfare to scare the user into paying for the full ‘product’.

View.exe – first stage downloader

View.exe is a rather simple downloader. The code is somewhat obfuscated, but its real purpose is to attempt to download three executables from a website (which at the time of writing is no longer live):

  • http://79.135.167.18/scan4.exe

  • http://79.135.167.18/sl32.exe

  • http://79.135.167.18/gpls32.exe

The first, scan4.exe, is the next stage of the FakeAlert scam. Interestingly, sl32.exe is an Exchanger variant (aka Srizbi – see VB, November 2007, p.5) – I don’t believe it is a coincidence that there is a connection between the spammed FakeAlert variants and one of the world’s largest botnets. We have not yet found an active instance of the gpls32.exe file.

Scan4.exe – start them bugging

Scan4.exe is essentially a dropper, which drops and installs the ‘nagger’ component. This is dropped into the %SYSTEM% folder as ‘braviax.exe’ (occasionally as ‘buritos.exe’), and registers for startup under:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “” = C:\WINDOWS\System32\braviax.exe HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “” = C:\WINDOWS\System32\ braviax.exe

First warning: bubble.

Figure 5. First warning: bubble.

Braviax.exe opens a notify bubble on the taskbar which claims that the system is infected (Figure 5). If the user clicks on the bubble, the trojan will download the next component into %system%winivstr.exe and execute it. It uses the following URL list to download this component:

  • http://virus-quick-scan.com/?wmid=1062&l=12&it=2&s=1

  • http://antispyware-quick-scan.com/?wmid=1062&l=12&it=2&s=1

  • http://spyware-quickscan-2008.com/?wmid=1062&l=12&it=2&s=1

  • http://virus-quickscan-2008.com/?wmid=1062&l=12&it=2&s=1

  • http://spyware-quickscan-2009.com/?wmid=1062&l=12&it=2&s=1

  • http://virus-quickscan-2009.com/?wmid=1062&l=12&it=2&s=1

  • http://antivirus-quick-scan.com/?wmid=1062&l=12&it=2&s=1

Additionally, a rootkit component is dropped onto the system as %SYSTEM%\drivers\figaro.sys (with copies named ‘beep.sys’ in the same folder and in the dllcache folder). This is responsible for terminating a large list of security-product-related processes, and rehooking its components (braviax.exe and karina.dat) in the registry; the first in HKLM\Software\Microsoft\Windows\CurrentVersion\Run and the second one as an Appinit_DLL, making it difficult to remove the complex. Interestingly, if buritos.exe is executed, the Run key is removed (but not the Appinit_DLL).

Scan.exe: third stage disturber

This is the point at which the real psychological warfare begins.

The downloaded third executable stage changes the desktop background to display a large malware warning dialog similar to that shown in Figure 6.

Second warning: your desktop is infected.

Figure 6. Second warning: your desktop is infected.

If the user falls for the scam at this point and chooses to download the full product the URL accessed will be similar to the following:

http://av-xp2008.com/images/*/3a35c64942d7aa9dec056277e50741da/*.gif

(* represents random values)

However, some users will ignore this warning, so in addition, the screensaver is set to the ‘blue screen’ screensaver from Sysinternals, which also mimics a reboot process (Figure 7).

Third warning: blue screen.

Figure 7. Third warning: blue screen.

Our support department received numerous calls from customers complaining that their computer had landed in a continuous crash-reboot stage. In reality, it was this screensaver fooling them.

A VBS script is also dropped and executed, which removes all the system restore points. This disables the trivial removal method, which would be to revert to a known safe restore point before the infection occurred.

Winivstr.exe: buy me or you are doomed

Generally, the malware warning and the blue screen prove more than sufficient to break down the user’s resistance and persuade them to download the recommended application (‘VirusRemover2008’ at the time of collecting the material for this article, but the name of the product is subject to frequent change). Once downloaded, the application claims to find a handful of spyware and trojan instances on the system.

Infection is found on the system.

Figure 8. Infection is found on the system.

Needless to say, this is also the case when run on a clean, freshly installed virtual machine without Internet connectivity. So unless we believe that Microsoft ships trojans with its Windows XP installer packs (we don’t), the claims are false.

In some of the scam AV product installations, legitimate anti-virus data files are downloaded from legitimate locations. Matters took an interesting turn when a company, having earlier been identified as being responsible for one of these scam attempts, approached VirusBuster, making enquiries about licensing our scan engine. Of course, we refused them.

From a support point of view, we receive numerous complaints as a result of the scamware. First, it ‘detects’ infected files on the system that our product has not detected (because they do not really exist on the system). Then, because the users get infected over and over again with the ‘same’ scamware (what the average user is not expected to realize is that, despite having the same application name, the executables behind the scamware change frequently). Finally, when it comes to removing the malicious files, the protecting rootkit component makes it more difficult than usual.

Fake security products and all the malicious components that go along with them to run the schemes have been appearing at a steady pace over recent months. They may not appear in the top half of our prevalence lists, but they are forever burnt into the memories of our user base.

Overall, nothing extremely malicious has happened during the process (if we ignore the fact that the infected PC has been connected to the Srizbi botnet), only a little nuisance. Nothing personal, just business.

Bibliography

[1] Szappanos, G. A day in the life of an average user. Virus Bulletin, January 2009, p.10. http://www.virusbtn.com/pdf/magazine/2009/200901.pdf.

[2] Schouwenberg, R. The (correct) detection of light grey software. Proceedings of the Virus Bulletin International Conference, 2006.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest articles:

Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

Aditya Sood & Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited to compromise the C&C panel in order to gather threat intelligence, and present a model of mobile AppInjects.

Cryptojacking on the fly: TeamTNT using NVIDIA drivers to mine cryptocurrency

TeamTNT is known for attacking insecure and vulnerable Kubernetes deployments in order to infiltrate organizations’ dedicated environments and transform them into attack launchpads. In this article Aditya Sood presents a new module introduced by…

Collector-stealer: a Russian origin credential and information extractor

Collector-stealer, a piece of malware of Russian origin, is heavily used on the Internet to exfiltrate sensitive data from end-user systems and store it in its C&C panels. In this article, researchers Aditya K Sood and Rohit Chaturvedi present a 360…

Fighting Fire with Fire

In 1989, Joe Wells encountered his first virus: Jerusalem. He disassembled the virus, and from that moment onward, was intrigued by the properties of these small pieces of self-replicating code. Joe Wells was an expert on computer viruses, was partly…

Run your malicious VBA macros anywhere!

Kurt Natvig wanted to understand whether it’s possible to recompile VBA macros to another language, which could then easily be ‘run’ on any gateway, thus revealing a sample’s true nature in a safe manner. In this article he explains how he recompiled…


Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.