Rogue antivirus programs continue to plague our customers as submissions this September echoed August’s top malware profile. FAKEAV variants and components vicitimized users from all over the world. These threats are still among the most common case submissions we have been receiving even just two weeks into September.
Rogue AV attacks’ sophisticated modus operandi starts with the surreptitious downloading of a seemingly legitimate file via several possible infection vectors. So far we’ve seen actual rogue AV attacks that begin in:
- Spammed email messages (ecards) that contain malicious links
- Instant messaging applications where links are sent as messages
- Private messages in social networking sites
- As codecs for videos hosted on social networking sites
- Downloaded by malware in a prior infection
- Mass SEO poisoning involving several compromised Web sites
What happens from that point onward may vary, but the objective remains to convince the user through a variety of system modifications and invasive warning signals that something is wrong with their PCs. These scare tactics include showing fake Windows popup balloons, modifying the PC’s wallpaper to an alarming message, and performing an unsolicited system scan that yields worrying scan results.
Here we highlight two of the latest attacks we’ve seen which are both multi-component in nature and have presented unique difficulties in terms of cleanup. While it is difficult to determine whether these rogue AV programs, WinAntispyware 2008 and Antivirus XP 2008, are related to the spate of Antivirus 2009 attacks seen in August, their prevalence this September suggests that it is time to pay these types of attacks the attention they deserve.
Both require the user to have clicked on a link or opened an attachment that led to the download of a Trojan dropper onto their systems. TROJ_FAKEAV.RIT follows the more conservative path as it depends on an Internet connection to see the attack through its end. It first drops some files, some of which run at restart to download another file from the Internet. This file is not the rogue AV yet, it is just a program that displays a fake popup saying that the system is infected. It is when the user clicks on the popup balloon that the rogue AV continues the rest of the show: by displaying a fake security console GUI, then performing a fake scan, then showing fake results, convincing the user to purchase a full version.
Losing $50 for a fake program is bad enough, but victims should be worrying, though, about losing much, much more. After all, once hackers get their hands on credit card information there is no telling what risks are in store for victims.
Figure 1. WinAntispyware 2008 product purchase page
The second notable attack we’ve seen is by TROJ_FAKEAV.IE because of its more wholesale approach to delivering the attack. Instead of relying on Internet connection every step of the way, all it takes to risk an infection from this program is the download of the Trojan dropper TROJ_FAKEALER.DQ. This dropper gives its all: files to help scare the user like a wallpaper and a screensaver–and even the rogue AV program itself. Perhaps the mind behind this attack wants to take as much advantage as it can of its foot in the door.
It modifies the system’s wallpaper and screensaver settings so the first thing the user will notice is his/her desktop image had changed. If he decides to investigate he will see that the Desktop and Screensaver tabs from the Desktop Properties are missing. A few seconds into suspecting that something is wrong, a EULA comes out from nowhere.
Figure 2. Antivirus XP 2008 Fake EULA
If the user clicks on Agree and Install (after all the EULA looks like most program EULAs which people do not really read), the system immediately conducts a system scan and shows a fake scan results page. After this the browser opens a window where the user is asked to give his contact information.
Figure 3. Antivirus XP 2008 product purchase discount page
The attacker might have a slightly diffierent intention, but the attack’s risks are no less dangerous. By obtaining the victims’ name, phone and email address, hackers can steal user identities and perform social engineering attacks using the victims’ credentials. Email addresses can be sold to spammers as active accounts.
Here is a visual presentation of what a typical attack may look like:
Related blog posts:
- News Videos, Anyone?
- Paris Hilton Hits the Rogue AV Scene
- Spammed SWF URLs Abuse ImageShack, Lead to Rogue AV
- A Million Search Strings to Get Infected
Trend Micro Smart Protection Network, a next generation cloud-client security infrastructure, effectively protects our users from harmful, multi-component and intricate Web threats such as these. It combines in-the-cloud technologies with smaller, lighter-weight clients, giving users immediate access to the latest protection.