2009-04-01
Abstract
Rogue anti-malware applications have been around for several years, conning and causing confusion among users as well as posing problems for anti‑malware vendors. Gabor Szappanos takes a look at a piece of anti‑virus scamware.
Copyright © 2009 Virus Bulletin
In an article in the January issue of Virus Bulletin [1] I described the threats faced by an average user. One of the most significant of them was the infamous FakeAlert trojan, which is distributed via spam messages and which causes bogus malware warnings in association with rogue security software.
Meanwhile, rogue anti-virus applications and their related malware also posed one of the most significant problems for VirusBuster’s virus lab during the latter half of 2008.
Rogue anti-virus applications, or scamware, have been around for some years now. Early instances have already been discussed in detail [2].
Authors of scamware have been very creative in selecting plausible-sounding names for their fake products. Figure 1 displays a list of some of them. One of these, ‘VirusBurst’, proved to be especially problematic for VirusBuster: many customers confused it with our product, and we had to explain time after time that it was not our product that kept popping up asking them for money.
Figure 1. Plausible-sounding names for scamware – is your anti-virus in this list? [3]
Another well-known example (at least in Hungary) was an application known as ‘Furko Antivirus’ (Figure 2). It had the same characteristics as contemporary scamware variants:
A ‘free’ version of the application was downloadable (even from popular download repositories).
It claimed to find a couple of virus samples (on a clean system) in files which did not even exist on the machine.
It claimed that, for a $19.95 fee, the full version of the program could be downloaded and would remove the threats it had just identified.
It took quite some time for the unsuspecting Hungarian public to realize that there was no real product behind ‘Furko Antivirus’. Our first encounter with the application was in 2005 (although we had heard of its existence prior to that), and only in 2006 did the Hungarian media grasp hold of the fact that it was a scam.
The user’s first encounter with this threat often comes via an email message which contains a download link to the first-stage executable. We have also seen cases of FakeAlert downloader scripts having been injected into non-malicious websites.
In the following sections I will describe the chain of events that occurs following receipt of a FakeAlert variant seeded via email. (The sequence of events may vary from case to case; steps may differ as the contents of download links change.)
As discussed in more detail in [1], the initial vector of this trojan arrives in an email message, typically disguised as an advertisement for pornographic content (Figure 3). The message contains a small amount of text and a hyperlink.
Clicking on the link leads to a web page displaying the common codec error message and offering the user the opportunity to download an update (Figure 4). This primitive form of social engineering appears to be sufficient for the trojan’s needs – the websites are equipped to host code distribution kits such as Mpack, but it seems it has not proved necessary to bring in the heavy artillery.
On clicking on the ‘Continue’ button the fake codec is downloaded as view.exe. Once the executable has been downloaded, it deploys an arsenal of psychological warfare to scare the user into paying for the full ‘product’.
View.exe is a rather simple downloader. The code is somewhat obfuscated, but its real purpose is to attempt to download three executables from a website (which at the time of writing is no longer live):
http://79.135.167.18/scan4.exe
http://79.135.167.18/sl32.exe
http://79.135.167.18/gpls32.exe
The first, scan4.exe, is the next stage of the FakeAlert scam. Interestingly, sl32.exe is an Exchanger variant (aka Srizbi – see VB, November 2007, p.5) – I don’t believe it is a coincidence that there is a connection between the spammed FakeAlert variants and one of the world’s largest botnets. We have not yet found an active instance of the gpls32.exe file.
Scan4.exe is essentially a dropper, which drops and installs the ‘nagger’ component. This is dropped into the %SYSTEM% folder as ‘braviax.exe’ (occasionally as ‘buritos.exe’), and registers for startup under:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “” = C:\WINDOWS\System32\braviax.exe HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “” = C:\WINDOWS\System32\ braviax.exe
Braviax.exe opens a notify bubble on the taskbar which claims that the system is infected (Figure 5). If the user clicks on the bubble, the trojan will download the next component into %system%winivstr.exe and execute it. It uses the following URL list to download this component:
http://virus-quick-scan.com/?wmid=1062&l=12&it=2&s=1
http://antispyware-quick-scan.com/?wmid=1062&l=12&it=2&s=1
http://spyware-quickscan-2008.com/?wmid=1062&l=12&it=2&s=1
http://virus-quickscan-2008.com/?wmid=1062&l=12&it=2&s=1
http://spyware-quickscan-2009.com/?wmid=1062&l=12&it=2&s=1
http://virus-quickscan-2009.com/?wmid=1062&l=12&it=2&s=1
http://antivirus-quick-scan.com/?wmid=1062&l=12&it=2&s=1
Additionally, a rootkit component is dropped onto the system as %SYSTEM%\drivers\figaro.sys (with copies named ‘beep.sys’ in the same folder and in the dllcache folder). This is responsible for terminating a large list of security-product-related processes, and rehooking its components (braviax.exe and karina.dat) in the registry; the first in HKLM\Software\Microsoft\Windows\CurrentVersion\Run and the second one as an Appinit_DLL, making it difficult to remove the complex. Interestingly, if buritos.exe is executed, the Run key is removed (but not the Appinit_DLL).
This is the point at which the real psychological warfare begins.
The downloaded third executable stage changes the desktop background to display a large malware warning dialog similar to that shown in Figure 6.
If the user falls for the scam at this point and chooses to download the full product the URL accessed will be similar to the following:
http://av-xp2008.com/images/*/3a35c64942d7aa9dec056277e50741da/*.gif
(* represents random values)
However, some users will ignore this warning, so in addition, the screensaver is set to the ‘blue screen’ screensaver from Sysinternals, which also mimics a reboot process (Figure 7).
Our support department received numerous calls from customers complaining that their computer had landed in a continuous crash-reboot stage. In reality, it was this screensaver fooling them.
A VBS script is also dropped and executed, which removes all the system restore points. This disables the trivial removal method, which would be to revert to a known safe restore point before the infection occurred.
Generally, the malware warning and the blue screen prove more than sufficient to break down the user’s resistance and persuade them to download the recommended application (‘VirusRemover2008’ at the time of collecting the material for this article, but the name of the product is subject to frequent change). Once downloaded, the application claims to find a handful of spyware and trojan instances on the system.
Needless to say, this is also the case when run on a clean, freshly installed virtual machine without Internet connectivity. So unless we believe that Microsoft ships trojans with its Windows XP installer packs (we don’t), the claims are false.
In some of the scam AV product installations, legitimate anti-virus data files are downloaded from legitimate locations. Matters took an interesting turn when a company, having earlier been identified as being responsible for one of these scam attempts, approached VirusBuster, making enquiries about licensing our scan engine. Of course, we refused them.
From a support point of view, we receive numerous complaints as a result of the scamware. First, it ‘detects’ infected files on the system that our product has not detected (because they do not really exist on the system). Then, because the users get infected over and over again with the ‘same’ scamware (what the average user is not expected to realize is that, despite having the same application name, the executables behind the scamware change frequently). Finally, when it comes to removing the malicious files, the protecting rootkit component makes it more difficult than usual.
Fake security products and all the malicious components that go along with them to run the schemes have been appearing at a steady pace over recent months. They may not appear in the top half of our prevalence lists, but they are forever burnt into the memories of our user base.
Overall, nothing extremely malicious has happened during the process (if we ignore the fact that the infected PC has been connected to the Srizbi botnet), only a little nuisance. Nothing personal, just business.
[1] Szappanos, G. A day in the life of an average user. Virus Bulletin, January 2009, p.10. http://www.virusbtn.com/pdf/magazine/2009/200901.pdf.