A piece of VUNDO history: the first variant we have seen in the wild was TROJ_VUNDO.A (Sept 6, 2004, almost 4 years ago). It is capable of monitoring IE activities such as visited Web sites and sending data to a remote Web site. These data are used for advertising and marketing activities.
Nobody expected it to still be alive now and used as a component of chain infection.
Below are actual numbers of different VUNDO detections that we have:
Some associated URLs:
Some known rogue antivirus products that could be automatically installed or advertised on an affected system are: Wintools, HuntBar, BargainBuddy, Toolbar888, Altnet, BrillantDigital, Points Manager, E2Give, AdawareDelete, AlfaCleaner, AdwareBazooka, Antivirus Pro, BreakSpyware, SpyCut, CurePcSolution, DriveCleaner 2006, ErrorSafe, PerfectCleaner, ExpertAntivirus, SpyAway, AdwareSheriff, SystemStable.
VUNDO variants have different payloads depending on the nature if infection:
The user visits a malicious Web site and gets infected by a DLL file VUNDO variant. This DLL then registers itself as a Browser Helper Object (BHO) to run every time Internet Explorer is opened. This will be used to redirect you to a rogue antivirus download page.
The dropped DLL VUNDO variant injects into WINLOGON.EXE and EXPLORER.EXE for memory residency and prevents easy detection and removal. Once injected into those 2 processes, it monitors running processes before downloading other possible malicious files in the affected system. The possible monitored processes are mostly antivirus-related processes. It could also terminate the file GCASSERVALERT.EXE that serves as a Microsoft AntiSpyware application. In this case, there is no rogue antivirus installation or advertisement.
We can sort VUNDO variants into the following:
- Installing BHOs
- For advertisement
- Injection of dlls into processes
- Monitor Processes
- Download other malware
- Monitor IE activities
- Advertisement, pop ups -> money
- Install rogue AV -> money
Money is once again the motive behind this. Of course, most of the rogue AV product installed by VUNDO exaggerates the number of detection on the system to entice the user to buy their products which is around $50. When you know that this software is not detecting cleaning anything it is for sure expensive for what it is doing.
The industry of rogue AV products is increasing, VUNDO is not the only malware with this purpose, ZLOB well known for fake codec video also has variants that are able to display/install rogue products. ZLOB might also be associated to the also well-known RBN network. Another malware in this scene is RENOS which also displays a fake virus alert in order to download and install rogue AV product. Therefore, by having three different families that have the same aim, which is money, the probability to be hit by this kind of malware is increasing as well.
An example would be TROJ_ZLOB.ZYA acting as fake codec for an adult video that will install a rogue AV named Virus Heat, scan your system and tell you that 99 threats have been found and ask you to buy it online for $50. It will also display an advertisement for AntiVir Protect.
Here are some screenshots:
Here are some advertisements for other rogue AV products: