Infection Vector: 1. Downloaded from remote sites by other malwares 2. Downloaded from malicious links spreading across social networking sites and Instant Messages. 3. As codec for videos hosted on social networking sites 4. Arrives from spam mails and uses social engineering tactics for unsuspecting users to execute malicious file attachments or embedded url links. 5. Mass SEO poisoning involving several compromised Web sites Risk Conditions: 1. Can infect Windows 98, ME, NT, 2000, XP, 2003, Vista and 2008. 2.Internet/Network Connection. Upon Execution: 1. Installs a fake anti‐virus/anti‐spyware application. 2. Displays fake but convincing pop‐ups for security alerts. 3. Can drop additional malware to execute another Basic Threat Indicators and how it affects customers ld
1. Upon execution, this trojan family installs a bogus anti‐virus/anti‐spyware application which misleads the user that they are infected with a variety of malwares. It uses convincing pop‐up messages and additional visual payload like BSOD (Blue Screen of Death) with the primary purpose of tricking the user to purchase/register online the application. Most variants use the Notification area of the Windows Taskbar to obfuscate their intent like adding additional error icons or replicating WSC with a bogus alert.
2. It creates registry entries to enable its automatic execution at every system startup. Some variants registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It inserts information to known sites such as the Google home page to advertise. The advertisement leads to a link that once clicked will lead to sites such as below and mislead the user to purchase the said rogue application.
3. With all the combined tactics it forces the end users to divulge their credit card information but doesn’t necessarily fix the problem since this is a bogus application. The sites developed for this tactic are not secured sites. So your credit card information can be open to be sniffed since it’s not a secured online transaction.
4. Due to the alarming pop‐ups, customers are tricked to agree and purchase the said rogue application. Certain variants also have obfuscate installers and acts like a legit application even with EULA to replicate valid applications.
Securing your network with Worry Free Business Security
Trend Micro’s latest version for WFBS has the following features good in removing and containing the infection vectors of this malware to secure your network:
1. Scanning Technology – same scanning technology but lesser memory foot print and more performance enhancement to make it lighter on the network. 2. Web Threat Protection – evaluates the potential security risk of each requested URL by querying the Trend Micro database at the time of each HTTP request. Its engine has enhanced feedback mechanism supporting the Trend Micro Smart Protection Network for faster discovery and handling of unknown web threats. 3. Behavior Monitoring – protects clients from unauthorized changes to the operating system, registry entries, other software, files and folders. 4. Instant Message Content Filtering – can restrict certain words or phrases while using IM applications. 5. Trend Secure – enables users to surf the internet securely since it warns users about malicious and phishing web sites. While transaction protector determines the safety of your wireless connection by checking authenticity of the access point. 6. Messaging Security Agent – Scans and filters mails from spam and other malicious content before the end user gets the chance to execute the attachments or embedded links. 7. InterScan Messaging Hosted Security – Protects and filters the Mail gateway from spam, viruses, etc. before reaching the mail server.
Interpreting WFBS virus logs
To know which machine or user is spreading infection depending on the type of infection the following information are helpful.
1.) File Based Worms: normally spreads through windows file sharing Target: writable open shares, account captured login access to default shares (c$, d$, .., admin$) Helpful: Infection Source via Virus Log (if malware is Trend Micro detected), WireShark Note: WFBS CSA will try to find a network session whose idle time is less than 3 seconds. The "first" session with "idle time less than 3 sec" will be listed as infection source.
2.) Exploit Based Worms Target: Machines with missing Software Vulnerability Patches Helpful: Infection Source via Firewall Log (if malware is Trend Micro detected), WFBS Vulnerability Assessment, WireShark and Microsoft Baseline Security Analyzer
3.) Downloaded Malware Target: Machines with internet connection. Malicious Websites or Infiltrated Websites. Helpful: WTP logs (if malicious website is categorized), Proxy Logs, Gateway HTTP Logs, WireShark and Fiddler
4.) P2P & IRC based Malware Helpful: WireShark
On suspected to be infected sources it is advised to use local investigation tools such as ARTLClean Tool, SIC Tool and HiJackThis. You may also use other free applications such as Windows Sysinternals using this link: http://technet.microsoft.com/en‐ us/sysinternals/default.aspx
Case study for interpreting virus logs
1. Focusing on a single malware detection may result in continuous re‐infection or a new malware infection to occur.
Due to the obvious visual pop‐ups, the administrator focuses more on the TROJ_FAKEAV variant and checks the virus logs for any failed clean‐up attempts. Once the administrator has drilled down the suspect file he/she submits it to support for analysis at the same time tries to manually remove the malware using Trend Micro’s Virus Encyclopedia.
Unconsciously bypassing TROJ_FRAUDLOA.WN which drops a file called AV2009Install_880593.exe which can be downloaded from a remote site. This trojan then drops the variant TROJ_FAKEAV.CX. Unknowingly also bypassing the added visual payload was caused by TROJ_RENOS.ACG which was dropped by TROJ_FAKEAV.CX.
2. Since one of the infection vector is through e‐mail, check the Messaging Security Agent for indications of failed action on the virus logs. Most likely these failed actions would be the root cause on why the end users unconsciously gave in to the Social Engineering tactics done by the TROJ_FAKEAV. See here virus log sniffets:
Date | Time Server Name TROJ_FAKEAV.EH NTFS_f96c436c01c9092a00003f1c.EML (MT77232.exe) D:\Exchange\Mailroot\vsi 1\Queue\ Real‐time Scan Virus successfully detected, but infected file cannot be quarantined
3. Default Product Actions on Gen Major Type Malware (Cryp, Possible, PAK_Generic) is “pass” and is commonly ignored by users and administrators resulting into continuous infection.
The suggested Action for Gen‐Major Types is “pass” due to the possibility of a False Alarm. The Risk however is in “pass” the detected file to be executed and its primary purpose is only to warn the administrator. If confident with the scan result, temporarily force an action on Gen Major Types or submit the sample for proper action. A good example is Cryp_FakeAV.
WFBS 5.1: There is no need to apply a hotfix build, we just need to only add the following changes a. On the WFBS installation directory, open the /PCCSRV/ofcscan.ini file using a text editor. b. Under the Global Setting section, add the following keys and assign the values of
Where:
CSM 3.6: http://esupport.trendmicro.com/pages/Hot‐Fix‐B1170‐Unable‐to‐configure‐the‐scan‐action‐for‐the‐generic‐viru.aspx.
Indicators: Things to watch for in TROJ_FAKEAV
Indicator 1: Temporary Internet Folders Detected Examples: – C:\Documents and Settings\My_Account.MY_Domain\Local Settings\Temporary Internet Files\Content.IE5\0K2L7SL0\ – C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2L3VDI0M\ – D:\Documents and Settings\User1\Local Settings\Temporary Internet Files\Content.Word\ – C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\49IFI42N\ Key Elements: 1. User_Folder 2. Temporary_Internet Files\Content.IE5\ Analysis: 1. Internet Explorer Browser was Exploited by a malware to download other malware files 2. Internet Explorer was used by the user to browse a malicious website
3. Failing HTTP filters (Web Threat Protection‐WTP, IWSS) 4. Endpoint Action normally Fails when IE is running during scan. Key Action: 1. Check Web Protection and http request pathways 2. Investigate possible undetected malware on machine 3. Close Internet Explorer then Rescan using antivirus to confirm product failure 4. Check WTP, Gateway URL filtering logs, Firewall Logs.
Indicator2 : System Restore Folder Examples: – C:\System Volume Information\_restore{0B9EACA0‐2D81‐4483‐9486‐FDA9888319BC}\RP60\ – F:\RESTORE\S‐1‐5‐21‐1482476501‐1644491937‐682003330‐1013\ – F:\System Volume Information\_restore{487515DE‐933F‐4B95‐A037‐AE7DA3D48354}\RP683\ Analysis: 1. Malware has been previously backed‐up by windows system restore prior to antivirus detection. 2. Risk: Malware to be restored if antivirus is stopped 3. Risk: Virus Outbreak Event due to reoccurring detection and possible failure to remove Key Action: • Need to Disable Windows System Restore to clear backup files of infection • Investigate possible new undetected malware still residing in the system
How antivirus software and System Restore work together: http://support.microsoft.com/kb/831829
Remove infected files that you cannot clean in the System Restore data archive
If you suspect that previous restore points contain copies of infected monitored files that your antivirus program was not able to clean, you can remove these files and all the related restore points from the System Restore archive. To do so, turn off System Restore, and then turn it on again.
Notes : 1. When you turn off System Restore, you remove all the restore points. When you turn on System Restore again, new restore points are created as the schedule and events require. 2. Verify that all the signature or the definition files are current. Make sure that your antivirus program is configured to exclude the System Volume Information (SVI) folder (a hidden computer folder that is located in the computer root, or %SYSTEMDRIVE%). 3. To completely and immediately remove any infected file or files in the data store, turn off and then turn on System Restore. To do so, follow these steps: 4. Click Start, and then click Control Panel. 5. Click Performance and Maintenance, and then double‐click System. 6. Click the System Restore tab, and then click to select the Turn off System Restore for all drives check box. 7. Click OK, and then click Yes to initiate the restore point deletion.
To turn on System Restore again after the restore point deletion has completed, repeat these steps, but click to clear the Turn off System Restore for all drives check box.
Virus Scan Logs Key Performance Indicators
1. Good Final Action Scan Results one wants to see: • “Cleaned” • “Quarantined” • “Renamed” 2. Questionable and Risky Scan Final Results: • “Pass” • “Unable to clean the file” • “Unable to clean or delete the file” • “Unable to clean or quarantine the file” • “Unable to send the quarantined file to the designated quarantine folder” 3. Suspicious Scan Results: • Reoccurring Good Final Action Scan Results for the same malware
Best Practices and threat prevention
Make sure to enable the following features in Worry Free Business Security:
1. Have the latest components updated for Security Server, Client/Server Security Agent, Messaging Security Agent to have all the network segments protected. This will cover all infection vectors where the TROJ_FAKEAV can enter. These are the minimum requirements for a successful detection and cleanup:
a. Virus Scan Engine 32‐bit ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ 8.911.1001 b. Virus Scan Engine 64‐bit ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ 8.910.1002 c. Virus Cleanup Template ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ 1026 d. Virus Cleanup Engine for 32‐bit and 64‐bit ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ 6.0.1172 e. Messaging Security Agent for 32‐bit and 64‐bit ‐‐‐‐‐‐‐‐‐‐ 8.700.1004 f. Spyware Scan Engine for 32‐bit and 64‐bit ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ 6.2.3009 g. Spyware Active Monitoring pattern ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ 0.757.00 h. Anti‐Spam Engine for 32‐bit and 64‐bit ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ 5.6.1016 i. URL Filtering Engine for 32‐bit and 64‐bit ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ 3.0.1028 j. Behavior Monitoring Core Driver ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ 2.5.1121
NOTE: The pattern component should always be on the latest version to protect on all TROJ_FAKEAV variants.
2. Enable Web Threat Protection to block known malicious sites associated to the download of TROJ_FAKEAV variants. This will protect users from going to these malicious sites and block entry from other malwares trying to access these sites. To enable Web Threat Protection follow these steps:
1. From the Security Dashboard, go to Preferences ‐> Global Settings ‐> Desktop/Server tab 2. Tick or check the Enable location awareness 3. Enter the IP address of your internal gateway then click Add. 4. Click Save. 5. Click Security Settings from the Security Dashboard 6. Highlight group under My Company 7. Click Configure 8. Click on Web Threat Protection
9. Tick or check the Enable Web Threat Protection for either In Office or Out of Office 10. For In Office, select Low for Security Level. 11. For Out of Office, select Medium for Security Level. 12. Click Save for any changes 13. Repeat steps 7‐12 to your other groups
3. Enable Behavior Monitoring to prohibit unauthorized access to files, registry, etc. associated to the host Operating System. To enable Behavior Monitoring follow these steps:
a. From the Security Server, open the Security Dashboard b. Click Security Settings c. Highlight group under My Company d. Click Configure e. Click on Behavior Monitoring f. Check Enable Behavior Monitoring g. Check Enable Intuit Quickbooks Protection h. Click Save i. Repeat steps 4‐8 to your other groups
NOTE: It is highly advisable to use WFBS version 5.1 as it has better performance handling while using the Behavior Monitoring feature.
4. Enable Instant Messaging Content Filter to enable filtering of keywords associated to the spreading of url links relating to TROJ_FAKEAV for known IM applications.
5. Enable Trend Secure to provide information on websites.
6. Confirm infection sources is scanned and cleaned successfully from the virus logs via going to Reports > Log Query > Fill in the appropriate Fields > Click on Display logs. You have an option to export logs for further analysis.
Hardening the Security of the Operating System
TROJ_FAKEAV variants uses social engineering tactics using visual prompts such as active screensavers, wallpapers, active web page on your desktop to trick unsuspecting users that they are infected with various malwares. It disables User Configuration changes from the registry to prohibit reverting the changes that was executed by the rogue application.
Due to these restrictions users infected by this rogue application are forced to give in since they are unable to proceed with their work since these active displays are persistent and covers majority of the desktop with various displays. Since these changes are OS reliant we can do the reverse and harden the security of the network via GPO such as the screenshot shown below:
Modify desktop items on the Web tab click option Lock desktop items as seen on the screenshot. Using the domain’s GPO go to the User Configuration section and make the changes to the following:
Administrative Templates: Make all settings set to Enable except Active Desktop Wallpaper
1. Start Menu and taskbar a. Prevent changes to Taskbar and Start Menu Settings. 2. Desktop a. Preventing adding, dragging, dropping and closing the Taskbar’s toolbar. b. Prohibit adjusting desktop toolbars Active Desktop c. Disable Active Desktop d. Prohibit changes e. Prohibit Adding items f. Prohibit Editing items g. Active Desktop Wallpaper ‐ Disable h. Allow only bitmapped wallpaper. 3. Display a. Prevent changing wallpaper
Note: These solutions will not remove the active malware from the machine but will help by preventing further damage and propagation via removing the visual payload. This will give the users an opportunity to go on with their daily job functions without disruption.
After a successful block run a full system scan of the infected machine to kill the malicious running process and to remove system changes that was done by the malware.
Security Best Practices for Prevention
1. Make sure to show hidden files and folders since malwares tend to hide the malicious files from plain site. As seen on the screenshot below:
Note that there are instances that malware suspect files cannot be seen even while exposing it using the tactic above. This is because they have hidden attributes and can only be seen running the command below in the command prompt:
The next time you visit the folder using windows explorer you will be able to see and get the file for sample submission to Trend Micro Technical Support.
2. Set Internet Explorer settings to Medium or High as seen on the screenshot below:
More IE security options are made available through GPO under User Configuration > Windows Settings > Internet Explorer Maintenance and Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel.
3. Since the most commonly used medium for the TROJ_FAKEAV is e‐mail propagation remember to do the following: a. If the sender is unknown, do not open the attachment and make sure to scan attachments before opening them. b. If you know the sender of the e‐mail, make sure to verify that the mail is authentic before opening any attachments or clicking on embedded URL links c. Read thoroughly the message body to avoid phishing attacks. d. To prevent the automatic execution of viruses, modify the Microsoft Outlook to not show the Preview Pane. e. Require a prompt before opening mail attachments
4. Since some TROJ_FAKEAV variants work with VBS script malwares, it is highly suggested to Disable Script Execution.
5. Another propagation method that TROJ_FAKEAV uses is taking advantage of auto play of removable drives. Make sure to disable auto‐play feature for removable drives using the following:
a. Disable using registry via doing the following: i. Click on Start > Run > type regedit ii. Traverse to: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer iii. Create DWORD: NoDriveTypeAutorun=0x000000FF
b. Disable auto‐play using msconfig: i. Click on Start > Run > type msconfig > click the Services Tab > and uncheck the selection called Shell Hardware Detection. ii. Note that this will disable auto‐play for not only all CD/DVD Drives but also any form of removable media.
c. Disable autorun via GPO: i. For a Windows Server 2003 domain, move to the following folder: Computer Configuration\Administrative Templates\System ii. For a Windows 2008 domain, move to the following folder: Computer Configuration\Administrative Templates\Windows Components\Autoplay Policies iii. Open the Turn off Autoplay policy iv. In the Turn off Autoplay dialog box, click Enabled. v. In the drop‐down menu, click All drives. vi. Click OK.
Workaround Solutions
Common TROJ_FAKEAV variants actively run as a process on the machine which can be actively seen in Task Manager (press CTRL+SHIFT+ESC). To determine that these processes are malicious or not you can use sites such as http://www.processlibrary.com/ or your preferred search engine to check the validity of the process running. Once you determine the malicious process you can track down its other moving components via running such tools such as process monitor which you can download from this link: http://technet.microsoft.com/en‐us/sysinternals/bb896645.aspx. This tool will provide you with information on what other file(s), registry hives, etc. are associated with the malicious process. This type of malware also likes to execute itself upon startup as part of its autostart technique, in such cases execute the command msconfig from the run command and check the startup tab then disable the associated malicious process.
In case that the TROJ_FAKEAV cannot be removed from the system, Trend Micro would require a sample of the suspected malicious file, the infected machine’s latest virus logs, SIC or HijackThis logs to be submitted to Trend Micro Technical Support for further analysis. Kindly click on this link for support case submission: http://esupport.trendmicro.com/SRFMain.aspx.
Once provided with a case id, you can request for a small pattern from Technical Support upon submission of the malicious file sample. APAC RTL’s automated system generates a small pattern that can effectively remove the TROJ_FAKEAV variant. Generation time for the pattern is approximately 5‐20 minutes. Once generated, you can get the small pattern from technical support by just referencing your case id. To use small pattern technology kindly reference this link for details: http://esupport.trendmicro.com/pages/Deploying‐small‐pattern‐to‐Trend‐Micro‐products.aspx.
ARTLClean Tool: All in one solution
ARTLClean Tool is a standalone application that scans the machine for malicious activities and has the capability to scan/clean the system. You can download the tool from this link: ftp://apac‐ rtl.serveftp.com/solutions/Tools/rtlclean/.
To download the tool kindly use these credentials: Username: rtl Password: rtlpattern
This tool also has the capability to send feedback on the malicious files that you have submitted via e‐mail. To submit malicious files for analysis use credentials provided by the Local Trend Micro Business Unit Office as seen on the example on the side.