There has been extensive research done on malware code structures and system behaviors, often times hidden from unsuspecting eyes. Screen shots of malware execution have been shared in the passing, but were rarely the focus. It will be remiss if we did not pay enough attention to what malware looks like in their victims’ face.
Nick Bilogorskiy, Director of Security Research at Cyphort has studied a representative set of malware samples, including Adware and PUPs (potentially unwanted programs) and shares the screenshots from the perspective of how they interact with users, and how they can be helpful in identifying such malware.
3. Your speakers today
Nick Bilogorskiy
@belogor
Director of Security Research
Shel Sharma
Product Marketing Director
4. Agenda
o Fake Antivirus
o Ransomware
o APTs
o Adware
o Web Exploits
o Wrap-up and Q&A
CyphortLabsT-shirt
5. Threat Monitoring &
Research team
________
24X7 monitoring for
malware events
________
Assist customers with
their Forensics and
Incident Response
We enhance malware
detection accuracy
________
False positives/negatives
________
Deep-dive research
We work with the
security ecosystem
________
Contribute to and learn
from malware KB
________
Best of 3rd Party threat
data
6.
7. Fake Antivirus timeline
Mac Defender
Antivirus XP 2008
2005 2008 2009 2010 2011 2012 2013 2014
WinFixer
PC Optimizer Pro
11. 2011 - Mac Defender
o Pavel Vrublevsky Sentenced to 2.5 Years
12. 2015 Adware PcOptimizerPro
o PcOptimizerPro
shows fake alerts
of performance
problems
o Fixing only
possible with
commercial
version
o Offers user to
buy an upgrade
25. DarkSeoul
o DarkSeoul, a hacking group
with suspected links to
North Korea, performed a
delayed wipe on 32,000
systems at South Korean
banks and media companies
o Credit claimed by Whois
43. Summary
o Most malware runs silently
o Some malware uses GUI for monetization
o Error windows are very common in malware
output, both real and fake
o APTs display fake documents for misdirection
But First, let me introduce our team – Cyphort Labs.
We are a group of malware researchers in several countries who monitor malware and security trends daily, reverse engineer interesting malware samples and contribute to the Cyphort threat research. In addition our team deals with customer escalations -analyzing malware escalated by the support team, advising Cyphort engineering team on improving detection, and sharing threat intelligence on Cyphort Labs blog. For example, check out our post from June 9 on breach at the Office of Personnel Management (OPM). You can find our blog at www.cyphort.com/blog
Winfixer is an application that is installed by drive-by downloads and ActiveX installations. The program starts automatically at boot-up and presents the user with multiple dialogs stating that a full license should be purchased to remove problems it has found. The infection usually occurs during a visit to a distributing web site using a web browser. A message appears in a dialog box or popup asking the user if they want to install WinFixer, or claiming a user's machine is infected with malware, and requests the user to run a free scan.
You can see this JavaScript message on the left in this slide.
When the user chooses any of the options or tries to close this dialog (by clicking 'OK' or 'Cancel' or by clicking the corner 'X'), it will trigger apop-up window and WinFixer will download and install itself, regardless of the user’s wishes.
On the right you can see the actual WinFixer fake antivirus window screenshot.
On September 29, 2006, a San Jose woman filed a lawsuit over WinFixer and related "fraudware" in Santa Clara County Superior Court. In the lawsuit, the plaintiffs charged that the WinFixer software "eventually rendered her computer's hard drive unusable. The program infecting her computer also ejected her CD-ROM drive and displayed Virus warnings.“
On December 2, 2008, the Federal Trade Commission requested and received a temporary restraining order against Innovative Marketing, Inc., ByteHosting Internet Services, LLC, and individuals Daniel Sundin, Sam Jain, Kristy Ross, the creators of WinFixer and its sister products.
On September 24, 2012, Kristy Ross was fined $163 million by the Federal Trade Commission for her part in this.
The pop-up ads she created would be under the names DriveCleaner, Winfixer, WinAntivirus, WinAntispyware, FreeRepair or System Doctor.
Over a million people fell as a victim to her scam and purchased the software from $40 to $60 each.