McAfee Labs Combating Fake Alert infections - Amith Prakash, Global Threat Response 1 What are FakeAlerts?.......................................................................................................... 2 Symptoms ........................................................................................................................... 2 Characteristics- CLASSICAL EXAMPLE OF “SOCIAL ENGINEERING”.................... 3 Warnings displayed for some typical Fake Alerts… .......................................................... 3 FakeAlert Downloader’s.................................................................................................... 4 Common locations to find files installed by FakeAlert Trojans…..................................... 6 Common FakeAlert Registry changes ................................................................................ 7 Connections to remote URL’s ............................................................................................ 7 Combating FakeAlert.......................................................................................................... 8 FakeAlert Variants............................................................Error! Bookmark not defined. What are FakeAlerts? FakeAlert Trojans are rogue security software that are made for monetary gain. It is downloaded in the victims system usually through drive-by downloads or spam. The software displays misleading fake security alerts, misleading spyware scan results and aggressive advertising in order to convince the user into buying the software to get protection. Some of the known FakeAlert variants are listed below: 1. XP antivirus 2009 2. XP antivirus 2008 3. XP Security Centre 4. Malware Protector 2008 5. TotalSecure 2008 6. IE antivirus Symptoms Fake pop-up messages about the system being infected. Unexpected network connections made to some domain(s). (Refer to “Connections to remote URL’s” – pg 8) Presence of suspicious process in taskmanager. List of common process related to FakeAlert are given below. XPAntiviru*.exe xpa.exe xpa200*.exe XP antivirus* XPAntivirus* Uninstall XPAntivirus* Uninstall XP Antivirus* Buritos.exe Braviax.exe __c00*.dat (Generic Downloader.z) *phc* *lph* *rhc* 2 scui.cpl (Generic PUP.x) VAV.CPL (Generic PUP.x) Beep.sys (existing file that gets overwritten with Generic PWS.o) ctfmona.exe ctfmonb.bmp blackster.scr (Bugs! Shareware Screensaver - clean file) Antvrs.exe Many of these Downloaders install other malware including viruses as well as other Trojans. Additionally many of them are used to remotely install Adware packages onto the affected host machine for the purposes of gaining referral revenue from the Adware software vendor. Please note: If Adware is installed via a Downloader it may install it "cleanly" with the relevant uninstaller included for the user to terminate this Adware, although frequently this is not the case. Characteristics- CLASSICAL EXAMPLE OF “SOCIAL ENGINEERING” FakeAlert is a rogue Security application. They are usually installed by Drive by Installs or through exploits. They make use of “social engineering “where in the victim chooses “yes” to a pop up that say they are infected and need to install the software. This is shown in image below. Warnings displayed for some typical Fake Alerts… Some common warnings are given below 3 ”Windows Security Center reports that 'XP antivirus' is inable. Antivirus software helps to protect your computer against viruses and other security threats. Click Recommendations for the suggested actions. Your system might be at a risk now. “ Privacy Violation alert! XP antivirus detected Privacy Violation. Some program is secretly sending your private data to untrusted internet host. Click here to block this activity by removing threats (Recommended). System files modification alert! Some critical system files of your computer were modified by malicious program. It may cause system instability and data loss. Click here to block unathorised modification by removing threats (Recommended). Internal conflict alert! XP antivirus detected internal software conflict. Some application tries to get access to system kernel (such behavior is typical to Spyware/Malware). It may cause crash of your computer. Click here to prevent system crash by removing threats (Recommended). Spyware activity alert! Spyware.IEMonster activity detected. It is spyware that attempts to steal passwords from Internet Explorer, Mozilla Firefox, Outlook and other programs, including logins and passwords from online banking sessions, eBay, PayPal. It may also create special tracking files to log your activity and compromise your Internet privacy. It's strongly recommended to remove this threat as soon as possible. Click here to remove Spyware.IEMonster. FakeAlert Downloader’s We are seeing more and more hybrid downloader trojans that are installing not only a FakeAlert Trojan but other additional malware also. I recently investigated a machine that had been compromised and had two FakeAlert Trojans installed a password stealer Trojan and an adclicker Trojan. With the latest generation of FakeAlert Trojans we are seeing rootkit technology being used. NTRootKit-H http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=129931 We are also seeing more PWS components being added to these types of malware packages Generic PWS.o http://vil.nai.com/vil/content/v_132847.htm Some FakeAlerts are known to change the background, install screensavers and/or joke bluescreens to mislead the user to believe the machine has a BSOD. Bluescreen cycles between different Blue Screens and simulated boots every 15 seconds or so. Virtually all the information shown on Bluescreen's BSOD and system start screen is obtained from your system configuration - its accuracy will fool even advanced NT developers. For example, the NT build number, processor revision, loaded drivers and addresses, disk drive characteristics, and memory size are all taken from the system Bluescreen is running on. For further information on joke blue screen visit http://vil.nai.com/vil/content/v_137362.htm FakeAlert programs are known to scan the machines and show misleading scan results. Some of them detect valid files as Malware, while others drop malicious files on to the machine and detect them to gain user acceptance. The rogue security application throws fake or misleading scan results. 4 After convincing users the next step is to get MONEY…. It pops up the following registration pane to let users to type in e-mail address for purchase. 5 Common locations to find files installed by FakeAlert Trojans… The FakeAlert Trojan commonly installs to various locations on the local computer. They are listed below. TEMP folder: %USER_PROFILE%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk %USER_PROFILE%\Local Settings\Temp\.tt1D.tmp %USER_PROFILE%\Local Settings\Temp\.tt1D.tmp.vbs Start Menu: C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk Program Files directory: C:\Program Files\rhcv8nj0eefc\database.dat C:\Program Files\rhcv8nj0eefc\license.txt C:\Program Files\rhcv8nj0eefc\MFC71.dll C:\Program Files\rhcv8nj0eefc\MFC71ENU.DLL C:\Program Files\rhcv8nj0eefc\msvcp71.dll C:\Program Files\rhcv8nj0eefc\msvcr71.dll C:\Program Files\rhcv8nj0eefc\rhcv8nj0eefc.exe C:\Program Files\rhcv8nj0eefc\rhcv8nj0eefc.exe.local C:\Program Files\rhcv8nj0eefc\Uninstall.exe System Folder (ie. C:\windows\system32\) %WinDir%\system32\Restore\MachineGuid.txt %WinDir%\system32\blphcr8nj0eefc.scr %WinDir%\system32\pphcr8nj0eefc.exe (Where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.) (Where %USER_PROFILE% is the default user profile folder, for example C:\Documents and Settings\Administrator if the current user is Administrator.) 6 Common FakeAlert Registry changes It creates or modifies the following registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\rhcv8nj0eefc: 00 82 AC 48 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\AntivirXP08: "AntivirXP08" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphcr8nj0eefc: "%WinDir%\System32\lphcr8nj0eefc.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SMrhcv8nj0eefc: "C:\Program Files\rhcv8nj0eefc\rhcv8nj0eefc.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcv8nj0eefc\ DisplayName: "AntivirXP08" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcv8nj0eefc\ UninstallString: ""C:\Program Files\rhcv8nj0eefc\uninstall.exe"" HKEY_LOCAL_MACHINE\SOFTWARE\rhcv8nj0eefc\domain: "5B13A361646217A08DAF45C0FAB6AA64BF0E" HKEY_LOCAL_MACHINE\SOFTWARE\rhcv8nj0eefc\ADVid: "687a874463df9e3b7abb1f2150607f7a" HKEY_LOCAL_MACHINE\SOFTWARE\rhcv8nj0eefc\: "C:\Program Files\rhcv8nj0eefc" HKEY_LOCAL_MACHINE\SOFTWARE\rhcv8nj0eefc\InstallDir: