stopping fake antivirus
TRANSCRIPT
-
8/3/2019 Stopping Fake Antivirus
1/16
1A Sophos White Paper - September 2011
Fake antivirus is one o the most requently encountered threats on the web today.
Also known as rogue antivirus, rogues, or scareware, ake antivirus uses social
engineering to lure users to malicious sites and scare them into paying or ake threat
removal tools.
This paper provides insight into where ake antivirus comes rom and how it is
distributed, what happens when a system is inected with ake antivirus, and how to
stop this persistent threat rom inecting your network and your users.
Stopping FakeAntivirus:
How to KeepScareware offYour Network
-
8/3/2019 Stopping Fake Antivirus
2/16
Stopping Fake Antivirus: How to keep scareware off your network
2A Sophos White Paper - September 2011
What is fake antivirus?Fake antivirus is ake security sotware
which pretends to nd dangerous securitythreatssuch as viruseson your
computer. The initial scan is ree, but i
you want to clean up the raudulently-
reported threats, you need to pay.
This class o malware displays alse alert
messages to computer users concerning
threats on their machines (but these threats
do not really exist). The alerts will prompt
users to visit a website where they will be
asked to pay or these non-existent threats
to be cleaned up. The ake antivirus malware
will continue to send these annoying
and intrusive alerts until a payment is
made or the malware is removed.
This paper provides insight into where
ake antivirus comes rom, what happens
when a system is inected with ake
antivirus, and how users can protect
themselves rom ake antivirus.
Why is ake antivirus so popular among
cybercriminals? It is a huge revenue
source. Compared to other classes omalware such as bots, backdoor Trojans,
downloaders and password stealers, ake
antivirus draws the victim into handing
money over directly to the malware author.
Victims typically pay around $120 via
credit card to pay or the junk sotware
that will supposedly x the problem.
Fake antivirus is also associated with
a thriving aliate network community
that makes large amounts o money by
driving trac toward the stores o their
partners1. Individual aliates can quickly
generate income because distribution
networks pay aliates between $25
and $35 to simply do lead generation
by inecting additional computers.
-
8/3/2019 Stopping Fake Antivirus
3/16
3
Stopping Fake Antivirus: How to keep scareware off your network
A Sophos White Paper - September 2011
Fig.1
Fig.2
Fig.3
Fig.4
At SophosLabs, we are seeing new and
dierent types o ake antivirus emerging.
Macs are now a major target, includingMac-targeted social engineering being used
rom the bait to the malware. We have
been careully tracking the developments
in the Mac OS X malware community, and
have concluded that ake antivirus or
Macs is advancing ast and taking many
cues rom the Windows malware scene.
Hackers are also using image and image
search poisoning in addition to trending
topics to inect users with ake antivirus.
In addition, SophosLabs is seeing prolic
rebranding o ake antivirus names to
conuse users and elude detection.
Typical signs of infectionFake antivirus usually uses a large array
o social engineering techniques to getitsel installed. Campaigns have included:
Fake Windows Security Updates2
Fake Virus-Total pages3
Fake Facebook app4
9/11 scams5
Once on a system, there are many
common themes in its behavior:
Popup warnings
Many ake antivirus amilies will display
popup messages (see g.1-5).
Fig.5
-
8/3/2019 Stopping Fake Antivirus
4/16
Stopping Fake Antivirus: How to keep scareware off your network
4A Sophos White Paper - September 2011
Fake scanning
The ake antivirus will typically pretend to
scan the computer and nd non-existentthreats, sometimes creating les ull o junk
that will then be detected6 (see g.6-8).
Fake antivirus uses an enormous
range o convincing names to add to
the illusion o legitimacy, such as:
Security Shield
Windows XP Recovery
Security Tool
Internet Deender
PC Security Guardian
BitDeender 2011
Security Deender
Antimalware Tool
Smart Internet Protection
AntiVirus AntiSpyware 2011
Malware Protection
XP Security 2012
Security Protection
XP Antivirus 2012
XP Anti-Spyware 2011
MacDeender
Mac Security
There can be many thousands o variants
or each amily as techniques such asserver-side polymorphism are used heavily
to alter the ake antivirus executable.
This is a process whereby the executable
is re-packaged ofine and a dierent le
is delivered when a download request is
made. This can happen many times during
a 24-hour period. One particular amily
that calls itsel Security Tool7 has been
known to produce a dierent le nearly
every minute. This is how a single amily
can have such large numbers o samples.
Many amilies will also share a common
code base underneath the polymorphic
packer, where the application is simply
re-skinned with a dierent look and eel
but the behavior remains the same.
Fig.6
Fig.7 Fig.8
-
8/3/2019 Stopping Fake Antivirus
5/16
5
Stopping Fake Antivirus: How to keep scareware off your network
A Sophos White Paper - September 2011
Fig.9
Infection vectors
How do people get inected
with ake antivirus?
Although there are many dierent ways
that a specic ake antivirus may get onto a
system, the majority o distribution avenues
rely on social engineering. Ultimately, the
user is tricked into running the ake antivirus
installer executable in a way similar to
many other types o Trojans. Fake antivirus
authors have used a huge range o dierent
social engineering tricks and are continuing
to come up with new ones all the time.
In this paper, we review several main
sources o ake antivirus inection:
Search engine optimization poisoning
Email spam campaigns
Compromised websites
and exploit payloads
Fake antivirus downloads
by other malware
Search engine optimization poisoning
A very common source o ake antivirus
inection is clicking on links received rompopular search engines while searching
or topical terms. Fake antivirus authors
ensure that links leading to ake antivirus
download sites will eature prominently
in search results by using Black Hat SEO
techniques8. These poisoned results will
redirect users to a ake antivirus-controlled
website that displays a ake scanning
page, inorming them that their computer
is inected and they must download a
program to clean it up. Alternatively, a ake
movie download page may be displayed,
where users are prompted to download
a codec in order to view the movie. This
codec is in act a ake antivirus installer.
Google Trends is a service provided by
Google that highlights popular search
terms entered into its search engine.
Here is an example o how search
terms taken rom Google Trends are
poisoned by ake antivirus authors.
Lets do a search or pages containingterms rom Hot Searches (see g.9).
-
8/3/2019 Stopping Fake Antivirus
6/16
Stopping Fake Antivirus: How to keep scareware off your network
6A Sophos White Paper - September 2011
Picking several o the terms and
perorming a search or them will produce
several poisoned results (see g.10).
Clicking on these links takes users
to a ake scanning page, where they
are told they have multiple inections
and need to download a program to
remove the threats (see g.11-13).
Fig.10
Fig.11
Fig.12
Fig.13
Fig.14
Fig.15
Or, users are taken to a ake movie
download page where they are told
they need to download a codec toview the movie (see g.14, 15).
In each case, users are tricked into
downloading and running an unknown
executable, which is the ake antivirus installer.
-
8/3/2019 Stopping Fake Antivirus
7/16
7
Stopping Fake Antivirus: How to keep scareware off your network
A Sophos White Paper - September 2011
Fig.16
Fig.17
Fig.18
Fig.19
Spam campaigns
Fake antivirus is oten sent directly to
the victim as an attachment or as a linkin a spam message. The message is
predominantly sent through email, but other
orms o spam have also been observed
to deliver ake antivirus, such as instant
messaging applications including Google
Talk10. The spam message itsel usually uses
social engineering techniques to trick users
into running the attached le or clicking on
the link. Specic campaigns vary and include
password reset, ailed delivery message
and You have received an ecard scams.
Examples o email spam campaigns
spreading ake antivirus include:
Account suspension scams: Victims
receive an email message suggesting
access to a specic account has been
terminated and they need to run the
attached le to x the issue (see g.16).
Ecard scams: An email is received
purporting to be rom a legitimate
ecard company. In act, a ake antivirusinstaller is attached (see g.17).
Password reset scams: Victims receive
a message supposedly rom a popular
website, inorming them that their
password has been reset and the new
one is in the attached le (see g.18).
Package delivery scam: Details o
a (ctitious) recent postal delivery
are included in an attached le. In
reality, the attachment will install
ake antivirus (see g.19).
-
8/3/2019 Stopping Fake Antivirus
8/16
Stopping Fake Antivirus: How to keep scareware off your network
8A Sophos White Paper - September 2011
Compromised websites
and exploit payloads
Users can sometimes be sent to akeantivirus websites by browsing legitimate
websites that have been compromised,
where malicious code has been injected
into the page. This can be achieved by
penetrating the target websites hosting
server and appending (typically) JavaScript
to HTML pages hosted there. This redirect
code can be used to send the browser
to any type o malware hosting page
including exploit kits and ake antivirus. This
JavaScript code is almost always heavily
obuscated, and Sophos detects this type
o malware as variants o Troj/JSRedir11.
SophosLabs has also seen hackers
compromise legitimate web-based
advertising eeds to ensure that malicious
code is loaded instead. This may take the
orm o an exploit that downloads and
executes a ake antivirus binary as the
payload or a simple irame that redirects the
browser to a ake antivirus web page12, 13.
Fake antivirus downloads
by other malware
Fake antivirus can be downloaded ontoa machine by other types o malware.
SophosLabs maintains many honeypot
machines that are seeded with dierent
malware, in order to observe their behavior
and ensure protection is maintained when
new variants are downloaded. We have seen
several amilies install ake antivirus onto
an inected machine, most notably TDSS,
Virtumundo and Waled14. The inamous
Concker worm was also observed to install
ake antivirus onto inected computers15.
In this way, a hacker that has inected
a computer with TDSS or Virtumundo
can extract more money rom victims by
orcing them to pay or ake antivirus.
In addition a pay-per-install model exists
where hackers are paid to inect users
computers. In this system, a hacker
controls a victims computer (using
TDSS or similar), and is paid by the ake
antivirus producer to install the ake
antivirus on the inected computer.
-
8/3/2019 Stopping Fake Antivirus
9/16
9
Stopping Fake Antivirus: How to keep scareware off your network
A Sophos White Paper - September 2011
Fake antivirus familiesWe now explain in more detail the
behavior o ake antivirus once it hasmade its way onto a target system.
Registry installation
Fake antiviruss typical behavior is to copy
the installer to another location on the
system and create a registry entry that will
run the executable on system startup.
The installer is oten copied into the
users prole area (e.g., C:\Documents
and Settings\\Local Settings\
Application Data), or into the temporary
les area (e.g., c:\windows\temp) with
a randomly generated le name. This
makes the ake antivirus UAC-compliant
on Windows machines that have UAC16
enabled, thus avoiding a UAC warning
popping up during installation. However,
some amilies still do not care about
UAC and still create their les in the
Program Files or Windows olders.
A run key entry is then created in the
registry that will run the le when the
system starts up. Typically, this willbe added to one o the ollowing:
HKCU\Sotware\Microsot\Windows\
CurrentVersion\RunOnce
HKCU\Sotware\Microsot\
Windows\CurrentVersion\Run
HKLM\Sotware\Microsot\
Windows\CurrentVersion\Run
Examples:
HKLM\SOFTWARE\Microsot\Windows\
CurrentVersion\Runwpkaruv
c:\documents and settings\\
local settings\application data\
tqaxywicl\chgutertssd.exe
HKCU\Sotware\Microsot\Windows\
CurrentVersion\RunOnceCUA
c:\windows\temp\sample.exe
HKLM\SOFTWARE\Microsot\Windows\
CurrentVersion\Run85357230
c:\documents and settings\all users\
application data\85357230\85357230.exe
-
8/3/2019 Stopping Fake Antivirus
10/16
Stopping Fake Antivirus: How to keep scareware off your network
10A Sophos White Paper - September 2011
Initiate a ake scan
Once ake antivirus is installed, it will
usually attempt to contact a remotewebsite over HTTP and will oten download
the main component. This will initiate
a ake system scan, where many non-
existent threats will be discovered. The
main ake antivirus window is oten very
proessionally created and victims can
easily be convinced that they are using a
genuine security product (see g.20-25).
Fig.20
Fig.21
Fig.22
Fig.23
Fig.24
Fig.25
-
8/3/2019 Stopping Fake Antivirus
11/16
11
Stopping Fake Antivirus: How to keep scareware off your network
A Sophos White Paper - September 2011
Fig.27
Fig.29
Fig.28
Fig.30
Once the ake threats have been discovered,
users are told they must register or activate
the product in order to clean up the threats.Users are taken to a registration website
(either through a browser or through
the ake antivirus application), where
they are asked to enter their credit card
number and other registration details.
These pages are also very convincing,
occasionally eaturing illegal use o logos
and trademarks rom industry-recognized
organizations such as Virus Bulletin17
and West Coast Labs18 (see g.26-31).
Fig.26
Fig.31
-
8/3/2019 Stopping Fake Antivirus
12/16
Stopping Fake Antivirus: How to keep scareware off your network
12A Sophos White Paper - September 2011
Fig.32
Fig.33 Fig.34
Other fake antivirus behaviorCertain ake antivirus amilies cause
urther distress to the victim by intereringwith normal system activity. Commonly,
this includes disabling the Task Manager
and use o the Registry Editor, prohibiting
certain processes rom running and even
redirecting web requests. This behavior
urther convinces the user that there is
a problem on the system and increases
the likelihood o a purchase being made.
This extra activity can take the orm o:
Process termination: Certain programs
are prohibited rom running by the akeantivirus, with a warning message being
displayed instead (see g. 32, 33).
The ake antivirus will generally allow
Explorer and Internet Explorer to run, so
renaming an executable as explorer.exe or
iexplore.exe should allow it to be run.
Web page redirection: Some ake
antivirus amilies will redirect web
requests or legitimate websites to an
error message or other type o warningmessage. This adds to the users ear
and, again, makes the user more likely to
pay or the ake antivirus (see g.34).
Installation of more malware:
Fake antivirus has been known to
download other types o malwareupon installation, such as banking
Trojans, rootkits and spam bots.
Prevent and protectThere are many ways to stop ake
antiviruson the web, in email, and in your
endpoint security. Malware is complex, and
protecting the corporate IT environment
is a ull-time job. Antivirus sotware is
just the beginning. A solid deense is
needed to reduce the risk to your business
by protecting all routes o attack.
The most eective deense against the ake
antivirus threat is a comprehensive, layered
security solution. Detection can and should
take place at each stage o the inection.
Reduce the attack surace
Protect everywhere
Stop the attack
Keep people working
Educate users
-
8/3/2019 Stopping Fake Antivirus
13/16
13
Stopping Fake Antivirus: How to keep scareware off your network
A Sophos White Paper - September 2011
Heres how you can create this
type o layered deense:
Reduce the attack surface To reduce
the attack surace, Sophos lters URLs
and blocks spam to prevent ake antivirus
rom reaching users. By blocking the
domains and URLs rom which ake
antivirus is downloaded, the inection
can be prevented rom ever happening.
Sophos customers are protected by URL
ltering in Sophos Web Security and
Control19 and the latest endpoint security
product. Sophos Email Security and Data
Protection blocks spam containing akeantivirus beore a user even sees it20.
Protect everywhere But, protection
needs to go urther, and Sophos does
this with endpoint web protection, live
protection and rewall protection. Sophos
Endpoint Security and Control detects
web-based content, including the detection
o the JavaScript and HTML used on
ake antivirus and ake codec web pages.
Detection at this layer prevents the ake
antivirus les rom being downloaded
(e.g., Mal/FakeAVJs, Mal/VidHtml).
In addition, Sophos Live Protection enables
the Sophos Endpoint Security and Control
product to query SophosLabs directly
when it encounters a suspicious le in
order to determine whether the le is
ake antivirus, or any other malware.
This enables the automatic blocking o
new and emerging malware outbreaks
in real time, beore the malware has achance to run. This immediate access
lets you close the window between the
time SophosLabs nds out about an
attack and when users are protected.
Firewall protection means that the
Sophos Client Firewall can be congured
to block outgoing connections rom
unknown programs to prevent ake
antivirus rom calling home to receive
updated downloads, or to send back
a victims credit card inormation.
Stop the attack Stopping the attack involves
your anti-malware sotware, ongoing updating
and patching eorts, and run-time detection.
To proactively detect the ake antivirus le,
our Sophos antivirus agent delivers complete
protection, plus low-impact scans that
detect malware, adware, suspicious les
and behavior, and unauthorized sotware.
Using Behavioral Genotype technology,
many thousands o ake antivirus les
can be detected with a single identity. The
number o samples currently detected as
variants o Mal/FakeAV and Mal/FakeAle
is well in excess o hal a million.
O course, updating and patching are also
important to keep anti-malware sotware up
to date, and apply at all levels o protection.
Antivirus sotware must be kept up to
date using automatic updating to ensure
that the latest protection is provided at
all times. Other sotware such as the
operating system and commonly usedapplications, or example Adobe Reader,
should be patched to ensure that they do
not introduce security weaknesses. Static
deenses are not going to keep up with
the new variations, attacks change all the
time. So, it is important to allow updates
and apply patches as they are received.
Run-time detection is important because
i a ake antivirus executable manages to
evade the other layers o protection, the
Sophos Host Intrusion Prevention System
(HIPS) can detect and block the behavior
o the ake antivirus sample when it tries
to execute on the system21. HIPS includes
rules that specically target ake antivirus.
Essentially, i the program sees the ake
antivirus sotware doing anything dangerous,
it will shut the sotware downa blocking
move by another layer o protection.
-
8/3/2019 Stopping Fake Antivirus
14/16
Stopping Fake Antivirus: How to keep scareware off your network
14A Sophos White Paper - September 2011
Keep people working Your users dont
really care too much about any o this.
They just want to get their work done.Thats why Sophos provides IT sta with
visibility into ake antivirus detection, sends
alerts to let you know when malware has
been stopped, and removes the malware
rom your users computers. You can
choose a conguration that lets users
get these notications, or shows these
messages only to the security team.
Educate users User education is an
important part o the deense as well.
Users should know not to click on anything
suspicious. But, they should also be
reminded that the IT department takes careo antivirus protection or their computers. I
they are concerned about antivirus, or have
strange messages popping up, they should
contact IT and not try to sort it out or
themselves. Its also important to religiously
reuse any anti-malware sotware which
oers a ree scan but orces you to pay or
cleanup. Reputable brands dont do thisan
antivirus evaluation should let you try out
detection and disinection beore you buy.
Fig.35
Complete
Security
URL Filtering
Web ApplicationFirewall
Reduce
att
ack
surfa
ce Protecteve
rywhere
Keeppeoplew
orking
Stop
atta
cksand
breach
es
Visibility Patch Manager
Anti-malware
Endpoint WebProtection
Clean up
Live Protection
Educate Users
Stopping Fake Anti-VirusComplete protection against a rampant threat
-
8/3/2019 Stopping Fake Antivirus
15/16
15
Stopping Fake Antivirus: How to keep scareware off your network
A Sophos White Paper - September 2011
Here are three additional tips
to help protect Mac users:
I you use Saari, turn o the open
sae les ater downloading option.
This stops les such as the ZIP-
based installers avored by scareware
authors rom running automatically
i you accidentally click their links.
Dont rely on Apples built-in XProtect
malware detector. Its better than nothing,
but it only detects viruses using basic
techniques, and under a limited set
o conditions. For example, malware
on a USB key would go unnoticed, as
would malware already on your Mac.And it only updates once in 24 hours,
which probably isnt enough anymore.
Install genuine antivirus sotware.
Ironically, the Apple App Store is
a bad place to lookany antivirus
sold via the App Store is required by
Apples rules to exclude the kernel-
based ltering component (known
as a real-time or on-access scanner)
needed or reliable virus prevention.
Conclusion
Fake antivirus is still a prevalent threat, it is a persistent
problem and the fnancial benefts or cybercriminals means
that ake antivirus will not go away.
Fake antivirus is already distributed through a large number
o sources. The variety and inventiveness o its distributionwill only increase.
Fortunately, users can protect themselves through a
comprehensive and layered security solution that detects and
deends against ake antivirus at every possible level.
-
8/3/2019 Stopping Fake Antivirus
16/16