Stopping Fake Antivirus

8/3/2019 Stopping Fake Antivirus

1/16

1A Sophos White Paper - September 2011

Fake antivirus is one o the most requently encountered threats on the web today.

Also known as rogue antivirus, rogues, or scareware, ake antivirus uses social

engineering to lure users to malicious sites and scare them into paying or ake threat

removal tools.

This paper provides insight into where ake antivirus comes rom and how it is

distributed, what happens when a system is inected with ake antivirus, and how to

stop this persistent threat rom inecting your network and your users.

Stopping FakeAntivirus:

How to KeepScareware offYour Network


2/16

Stopping Fake Antivirus: How to keep scareware off your network


What is fake antivirus?Fake antivirus is ake security sotware

which pretends to nd dangerous securitythreatssuch as viruseson your

computer. The initial scan is ree, but i

you want to clean up the raudulently-

reported threats, you need to pay.

This class o malware displays alse alert

messages to computer users concerning

threats on their machines (but these threats

do not really exist). The alerts will prompt

users to visit a website where they will be

asked to pay or these non-existent threats

to be cleaned up. The ake antivirus malware

will continue to send these annoying

and intrusive alerts until a payment is

made or the malware is removed.

This paper provides insight into where

ake antivirus comes rom, what happens

when a system is inected with ake

antivirus, and how users can protect

themselves rom ake antivirus.

Why is ake antivirus so popular among

cybercriminals? It is a huge revenue

source. Compared to other classes omalware such as bots, backdoor Trojans,

downloaders and password stealers, ake

antivirus draws the victim into handing

money over directly to the malware author.

Victims typically pay around $120 via

credit card to pay or the junk sotware

that will supposedly x the problem.

Fake antivirus is also associated with

a thriving aliate network community

that makes large amounts o money by

driving trac toward the stores o their

partners1. Individual aliates can quickly

generate income because distribution

networks pay aliates between $25

and $35 to simply do lead generation

by inecting additional computers.


3/16

3


A Sophos White Paper - September 2011

Fig.1

Fig.2

Fig.3

Fig.4

At SophosLabs, we are seeing new and

dierent types o ake antivirus emerging.

Macs are now a major target, includingMac-targeted social engineering being used

rom the bait to the malware. We have

been careully tracking the developments

in the Mac OS X malware community, and

have concluded that ake antivirus or

Macs is advancing ast and taking many

cues rom the Windows malware scene.

Hackers are also using image and image

search poisoning in addition to trending

topics to inect users with ake antivirus.

In addition, SophosLabs is seeing prolic

rebranding o ake antivirus names to

conuse users and elude detection.

Typical signs of infectionFake antivirus usually uses a large array

o social engineering techniques to getitsel installed. Campaigns have included:

Fake Windows Security Updates2

Fake Virus-Total pages3

Fake Facebook app4

9/11 scams5

Once on a system, there are many

common themes in its behavior:

Popup warnings

Many ake antivirus amilies will display

popup messages (see g.1-5).

Fig.5


4/16



Fake scanning

The ake antivirus will typically pretend to

scan the computer and nd non-existentthreats, sometimes creating les ull o junk

that will then be detected6 (see g.6-8).

Fake antivirus uses an enormous

range o convincing names to add to

the illusion o legitimacy, such as:

Security Shield

Windows XP Recovery

Security Tool

Internet Deender

PC Security Guardian

BitDeender 2011

Security Deender

Antimalware Tool

Smart Internet Protection

AntiVirus AntiSpyware 2011

Malware Protection

XP Security 2012

Security Protection

XP Antivirus 2012

XP Anti-Spyware 2011

MacDeender

Mac Security

There can be many thousands o variants

or each amily as techniques such asserver-side polymorphism are used heavily

to alter the ake antivirus executable.

This is a process whereby the executable

is re-packaged ofine and a dierent le

is delivered when a download request is

made. This can happen many times during

a 24-hour period. One particular amily

that calls itsel Security Tool7 has been

known to produce a dierent le nearly

every minute. This is how a single amily

can have such large numbers o samples.

Many amilies will also share a common

code base underneath the polymorphic

packer, where the application is simply

re-skinned with a dierent look and eel

but the behavior remains the same.

Fig.6

Fig.7 Fig.8


5/16

5



Fig.9

Infection vectors

How do people get inected

with ake antivirus?

Although there are many dierent ways

that a specic ake antivirus may get onto a

system, the majority o distribution avenues

rely on social engineering. Ultimately, the

user is tricked into running the ake antivirus

installer executable in a way similar to

many other types o Trojans. Fake antivirus

authors have used a huge range o dierent

social engineering tricks and are continuing

to come up with new ones all the time.

In this paper, we review several main

sources o ake antivirus inection:

Search engine optimization poisoning

Email spam campaigns

Compromised websites

and exploit payloads

Fake antivirus downloads

by other malware

Search engine optimization poisoning

A very common source o ake antivirus

inection is clicking on links received rompopular search engines while searching

or topical terms. Fake antivirus authors

ensure that links leading to ake antivirus

download sites will eature prominently

in search results by using Black Hat SEO

techniques8. These poisoned results will

redirect users to a ake antivirus-controlled

website that displays a ake scanning

page, inorming them that their computer

is inected and they must download a

program to clean it up. Alternatively, a ake

movie download page may be displayed,

where users are prompted to download

a codec in order to view the movie. This

codec is in act a ake antivirus installer.

Google Trends is a service provided by

Google that highlights popular search

terms entered into its search engine.

Here is an example o how search

terms taken rom Google Trends are

poisoned by ake antivirus authors.

Lets do a search or pages containingterms rom Hot Searches (see g.9).


6/16



Picking several o the terms and

perorming a search or them will produce

several poisoned results (see g.10).

Clicking on these links takes users

to a ake scanning page, where they

are told they have multiple inections

and need to download a program to

remove the threats (see g.11-13).

Fig.10

Fig.11

Fig.12

Fig.13

Fig.14

Fig.15

Or, users are taken to a ake movie

download page where they are told

they need to download a codec toview the movie (see g.14, 15).

In each case, users are tricked into

downloading and running an unknown

executable, which is the ake antivirus installer.


7/16

7



Fig.16

Fig.17

Fig.18

Fig.19

Spam campaigns

Fake antivirus is oten sent directly to

the victim as an attachment or as a linkin a spam message. The message is

predominantly sent through email, but other

orms o spam have also been observed

to deliver ake antivirus, such as instant

messaging applications including Google

Talk10. The spam message itsel usually uses

social engineering techniques to trick users

into running the attached le or clicking on

the link. Specic campaigns vary and include

password reset, ailed delivery message

and You have received an ecard scams.

Examples o email spam campaigns

spreading ake antivirus include:

Account suspension scams: Victims

receive an email message suggesting

access to a specic account has been

terminated and they need to run the

attached le to x the issue (see g.16).

Ecard scams: An email is received

purporting to be rom a legitimate

ecard company. In act, a ake antivirusinstaller is attached (see g.17).

Password reset scams: Victims receive

a message supposedly rom a popular

website, inorming them that their

password has been reset and the new

one is in the attached le (see g.18).

Package delivery scam: Details o

a (ctitious) recent postal delivery

are included in an attached le. In

reality, the attachment will install

ake antivirus (see g.19).


8/16



Compromised websites

and exploit payloads

Users can sometimes be sent to akeantivirus websites by browsing legitimate

websites that have been compromised,

where malicious code has been injected

into the page. This can be achieved by

penetrating the target websites hosting

server and appending (typically) JavaScript

to HTML pages hosted there. This redirect

code can be used to send the browser

to any type o malware hosting page

including exploit kits and ake antivirus. This

JavaScript code is almost always heavily

obuscated, and Sophos detects this type

o malware as variants o Troj/JSRedir11.

SophosLabs has also seen hackers

compromise legitimate web-based

advertising eeds to ensure that malicious

code is loaded instead. This may take the

orm o an exploit that downloads and

executes a ake antivirus binary as the

payload or a simple irame that redirects the

browser to a ake antivirus web page12, 13.

Fake antivirus downloads

by other malware

Fake antivirus can be downloaded ontoa machine by other types o malware.

SophosLabs maintains many honeypot

machines that are seeded with dierent

malware, in order to observe their behavior

and ensure protection is maintained when

new variants are downloaded. We have seen

several amilies install ake antivirus onto

an inected machine, most notably TDSS,

Virtumundo and Waled14. The inamous

Concker worm was also observed to install

ake antivirus onto inected computers15.

In this way, a hacker that has inected

a computer with TDSS or Virtumundo

can extract more money rom victims by

orcing them to pay or ake antivirus.

In addition a pay-per-install model exists

where hackers are paid to inect users

computers. In this system, a hacker

controls a victims computer (using

TDSS or similar), and is paid by the ake

antivirus producer to install the ake

antivirus on the inected computer.


9/16

9



Fake antivirus familiesWe now explain in more detail the

behavior o ake antivirus once it hasmade its way onto a target system.

Registry installation

Fake antiviruss typical behavior is to copy

the installer to another location on the

system and create a registry entry that will

run the executable on system startup.

The installer is oten copied into the

users prole area (e.g., C:\Documents

and Settings\\Local Settings\

Application Data), or into the temporary

les area (e.g., c:\windows\temp) with

a randomly generated le name. This

makes the ake antivirus UAC-compliant

on Windows machines that have UAC16

enabled, thus avoiding a UAC warning

popping up during installation. However,

some amilies still do not care about

UAC and still create their les in the

Program Files or Windows olders.

A run key entry is then created in the

registry that will run the le when the

system starts up. Typically, this willbe added to one o the ollowing:

HKCU\Sotware\Microsot\Windows\

CurrentVersion\RunOnce

HKCU\Sotware\Microsot\

Windows\CurrentVersion\Run

HKLM\Sotware\Microsot\

Windows\CurrentVersion\Run

Examples:

HKLM\SOFTWARE\Microsot\Windows\

CurrentVersion\Runwpkaruv

c:\documents and settings\\

local settings\application data\

tqaxywicl\chgutertssd.exe

HKCU\Sotware\Microsot\Windows\

CurrentVersion\RunOnceCUA

c:\windows\temp\sample.exe

HKLM\SOFTWARE\Microsot\Windows\

CurrentVersion\Run85357230

c:\documents and settings\all users\

application data\85357230\85357230.exe


10/16



Initiate a ake scan

Once ake antivirus is installed, it will

usually attempt to contact a remotewebsite over HTTP and will oten download

the main component. This will initiate

a ake system scan, where many non-

existent threats will be discovered. The

main ake antivirus window is oten very

proessionally created and victims can

easily be convinced that they are using a

genuine security product (see g.20-25).

Fig.20

Fig.21

Fig.22

Fig.23

Fig.24

Fig.25


11/16

11



Fig.27

Fig.29

Fig.28

Fig.30

Once the ake threats have been discovered,

users are told they must register or activate

the product in order to clean up the threats.Users are taken to a registration website

(either through a browser or through

the ake antivirus application), where

they are asked to enter their credit card

number and other registration details.

These pages are also very convincing,

occasionally eaturing illegal use o logos

and trademarks rom industry-recognized

organizations such as Virus Bulletin17

and West Coast Labs18 (see g.26-31).

Fig.26

Fig.31


12/16



Fig.32

Fig.33 Fig.34

Other fake antivirus behaviorCertain ake antivirus amilies cause

urther distress to the victim by intereringwith normal system activity. Commonly,

this includes disabling the Task Manager

and use o the Registry Editor, prohibiting

certain processes rom running and even

redirecting web requests. This behavior

urther convinces the user that there is

a problem on the system and increases

the likelihood o a purchase being made.

This extra activity can take the orm o:

Process termination: Certain programs

are prohibited rom running by the akeantivirus, with a warning message being

displayed instead (see g. 32, 33).

The ake antivirus will generally allow

Explorer and Internet Explorer to run, so

renaming an executable as explorer.exe or

iexplore.exe should allow it to be run.

Web page redirection: Some ake

antivirus amilies will redirect web

requests or legitimate websites to an

error message or other type o warningmessage. This adds to the users ear

and, again, makes the user more likely to

pay or the ake antivirus (see g.34).

Installation of more malware:

Fake antivirus has been known to

download other types o malwareupon installation, such as banking

Trojans, rootkits and spam bots.

Prevent and protectThere are many ways to stop ake

antiviruson the web, in email, and in your

endpoint security. Malware is complex, and

protecting the corporate IT environment

is a ull-time job. Antivirus sotware is

just the beginning. A solid deense is

needed to reduce the risk to your business

by protecting all routes o attack.

The most eective deense against the ake

antivirus threat is a comprehensive, layered

security solution. Detection can and should

take place at each stage o the inection.

Reduce the attack surace

Protect everywhere

Stop the attack

Keep people working

Educate users


13/16

13



Heres how you can create this

type o layered deense:

Reduce the attack surface To reduce

the attack surace, Sophos lters URLs

and blocks spam to prevent ake antivirus

rom reaching users. By blocking the

domains and URLs rom which ake

antivirus is downloaded, the inection

can be prevented rom ever happening.

Sophos customers are protected by URL

ltering in Sophos Web Security and

Control19 and the latest endpoint security

product. Sophos Email Security and Data

Protection blocks spam containing akeantivirus beore a user even sees it20.

Protect everywhere But, protection

needs to go urther, and Sophos does

this with endpoint web protection, live

protection and rewall protection. Sophos

Endpoint Security and Control detects

web-based content, including the detection

o the JavaScript and HTML used on

ake antivirus and ake codec web pages.

Detection at this layer prevents the ake

antivirus les rom being downloaded

(e.g., Mal/FakeAVJs, Mal/VidHtml).

In addition, Sophos Live Protection enables

the Sophos Endpoint Security and Control

product to query SophosLabs directly

when it encounters a suspicious le in

order to determine whether the le is

ake antivirus, or any other malware.

This enables the automatic blocking o

new and emerging malware outbreaks

in real time, beore the malware has achance to run. This immediate access

lets you close the window between the

time SophosLabs nds out about an

attack and when users are protected.

Firewall protection means that the

Sophos Client Firewall can be congured

to block outgoing connections rom

unknown programs to prevent ake

antivirus rom calling home to receive

updated downloads, or to send back

a victims credit card inormation.

Stop the attack Stopping the attack involves

your anti-malware sotware, ongoing updating

and patching eorts, and run-time detection.

To proactively detect the ake antivirus le,

our Sophos antivirus agent delivers complete

protection, plus low-impact scans that

detect malware, adware, suspicious les

and behavior, and unauthorized sotware.

Using Behavioral Genotype technology,

many thousands o ake antivirus les

can be detected with a single identity. The

number o samples currently detected as

variants o Mal/FakeAV and Mal/FakeAle

is well in excess o hal a million.

O course, updating and patching are also

important to keep anti-malware sotware up

to date, and apply at all levels o protection.

Antivirus sotware must be kept up to

date using automatic updating to ensure

that the latest protection is provided at

all times. Other sotware such as the

operating system and commonly usedapplications, or example Adobe Reader,

should be patched to ensure that they do

not introduce security weaknesses. Static

deenses are not going to keep up with

the new variations, attacks change all the

time. So, it is important to allow updates

and apply patches as they are received.

Run-time detection is important because

i a ake antivirus executable manages to

evade the other layers o protection, the

Sophos Host Intrusion Prevention System

(HIPS) can detect and block the behavior

o the ake antivirus sample when it tries

to execute on the system21. HIPS includes

rules that specically target ake antivirus.

Essentially, i the program sees the ake

antivirus sotware doing anything dangerous,

it will shut the sotware downa blocking

move by another layer o protection.


14/16



Keep people working Your users dont

really care too much about any o this.

They just want to get their work done.Thats why Sophos provides IT sta with

visibility into ake antivirus detection, sends

alerts to let you know when malware has

been stopped, and removes the malware

rom your users computers. You can

choose a conguration that lets users

get these notications, or shows these

messages only to the security team.

Educate users User education is an

important part o the deense as well.

Users should know not to click on anything

suspicious. But, they should also be

reminded that the IT department takes careo antivirus protection or their computers. I

they are concerned about antivirus, or have

strange messages popping up, they should

contact IT and not try to sort it out or

themselves. Its also important to religiously

reuse any anti-malware sotware which

oers a ree scan but orces you to pay or

cleanup. Reputable brands dont do thisan

antivirus evaluation should let you try out

detection and disinection beore you buy.

Fig.35

Complete

Security

URL Filtering

Web ApplicationFirewall

Reduce

att

ack

surfa

ce Protecteve

rywhere

Keeppeoplew

orking

Stop

atta

cksand

breach

es

Visibility Patch Manager

Anti-malware

Endpoint WebProtection

Clean up

Live Protection

Educate Users

Stopping Fake Anti-VirusComplete protection against a rampant threat


15/16

15



Here are three additional tips

to help protect Mac users:

I you use Saari, turn o the open

sae les ater downloading option.

This stops les such as the ZIP-

based installers avored by scareware

authors rom running automatically

i you accidentally click their links.

Dont rely on Apples built-in XProtect

malware detector. Its better than nothing,

but it only detects viruses using basic

techniques, and under a limited set

o conditions. For example, malware

on a USB key would go unnoticed, as

would malware already on your Mac.And it only updates once in 24 hours,

which probably isnt enough anymore.

Install genuine antivirus sotware.

Ironically, the Apple App Store is

a bad place to lookany antivirus

sold via the App Store is required by

Apples rules to exclude the kernel-

based ltering component (known

as a real-time or on-access scanner)

needed or reliable virus prevention.

Conclusion

Fake antivirus is still a prevalent threat, it is a persistent

problem and the fnancial benefts or cybercriminals means

that ake antivirus will not go away.

Fake antivirus is already distributed through a large number

o sources. The variety and inventiveness o its distributionwill only increase.

Fortunately, users can protect themselves through a

comprehensive and layered security solution that detects and

deends against ake antivirus at every possible level.


16/16

Date post:	07-Apr-2018
Category:	Documents
Upload:	above-average
View:	221 times
Download:	0 times