Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Ast 0052862 Sophos Stopping Fake Antivirus Wpna Sept11


Published on

  • Be the first to comment

  • Be the first to like this

Ast 0052862 Sophos Stopping Fake Antivirus Wpna Sept11

  1. 1. Stopping FakeAntivirus:How to KeepScareware offYour NetworkFake antivirus is one of the most frequently encountered threats on the web today.Also known as rogue antivirus, rogues, or scareware, fake antivirus uses socialengineering to lure users to malicious sites and scare them into paying for fake threatremoval tools.This paper provides insight into where fake antivirus comes from and how it isdistributed, what happens when a system is infected with fake antivirus, and how tostop this persistent threat from infecting your network and your users.A Sophos White Paper - September 2011 1
  2. 2. Stopping Fake Antivirus: How to keep scareware off your networkWhat is fake antivirus? Why is fake antivirus so popular amongFake antivirus is fake security software cybercriminals? It is a huge revenuewhich pretends to find dangerous security source. Compared to other classes ofthreats—such as viruses—on your malware such as bots, backdoor Trojans,computer. The initial scan is free, but if downloaders and password stealers, fakeyou want to clean up the fraudulently- antivirus draws the victim into handingreported “threats,” you need to pay. money over directly to the malware author. Victims typically pay around $120 viaThis class of malware displays false alert credit card to pay for the junk softwaremessages to computer users concerning that will supposedly fix the problem.threats on their machines (but these threatsdo not really exist). The alerts will prompt Fake antivirus is also associated withusers to visit a website where they will be a thriving affiliate network communityasked to pay for these non-existent threats that makes large amounts of money byto be cleaned up. The fake antivirus malware driving traffic toward the stores of theirwill continue to send these annoying partners1. Individual affiliates can quicklyand intrusive alerts until a payment is generate income because distributionmade or the malware is removed. networks pay affiliates between $25 and $35 to simply do “lead generation”This paper provides insight into where by infecting additional computers.fake antivirus comes from, what happenswhen a system is infected with fakeantivirus, and how users can protectthemselves from fake antivirus.A Sophos White Paper - September 2011 2
  3. 3. Stopping Fake Antivirus: How to keep scareware off your networkAt SophosLabs, we are seeing new and Typical signs of infectiondifferent types of fake antivirus emerging. Fake antivirus usually uses a large arrayMacs are now a major target, including of social engineering techniques to getMac-targeted social engineering being used itself installed. Campaigns have included:from the bait to the malware. We have Ì Fake Windows Security Updates2been carefully tracking the developmentsin the Mac OS X malware community, and Ì Fake Virus-Total pages3have concluded that fake antivirus for Ì Fake Facebook app4Macs is advancing fast and taking manycues from the Windows malware scene. Ì 9/11 scams5Hackers are also using image and image Once on a system, there are manysearch poisoning in addition to trending common themes in its behavior:topics to infect users with fake antivirus.In addition, SophosLabs is seeing prolific Popup warningsrebranding of fake antivirus names to Many fake antivirus families will displayconfuse users and elude detection. popup messages (see fig.1-5). Fig.2 Fig.3Fig.1 Fig.4 Fig.5A Sophos White Paper - September 2011 3
  4. 4. Stopping Fake Antivirus: How to keep scareware off your networkFake scanning Ì AntiVirus AntiSpyware 2011The fake antivirus will typically pretend to Ì Malware Protectionscan the computer and find non-existentthreats, sometimes creating files full of junk Ì XP Security 2012that will then be detected6 (see fig.6-8). Ì Security ProtectionFake antivirus uses an enormous Ì XP Antivirus 2012range of convincing names to add to Ì XP Anti-Spyware 2011the illusion of legitimacy, such as: Ì MacDefenderÌ Security Shield Ì Mac SecurityÌ Windows XP RecoveryÌ Security Tool There can be many thousands of variants for each family as techniques such asÌ Internet Defender server-side polymorphism are used heavilyÌ PC Security Guardian to alter the fake antivirus executable. This is a process whereby the executableÌ BitDefender 2011 is re-packaged offline and a different fileÌ Security Defender is delivered when a download request is made. This can happen many times duringÌ Antimalware Tool a 24-hour period. One particular familyÌ Smart Internet Protection that calls itself “Security Tool”7 has been known to produce a different file nearly every minute. This is how a single family can have such large numbers of samples. Many families will also share a common code base underneath the polymorphic packer, where the application is simply “re-skinned” with a different look and feel but the behavior remains the same.Fig.6Fig.7 Fig.8A Sophos White Paper - September 2011 4
  5. 5. Stopping Fake Antivirus: How to keep scareware off your networkInfection vectors Search engine optimization poisoning A very common source of fake antivirusHow do people get infected infection is clicking on links received fromwith fake antivirus? popular search engines while searchingAlthough there are many different ways for topical terms. Fake antivirus authorsthat a specific fake antivirus may get onto a ensure that links leading to fake antivirussystem, the majority of distribution avenues download sites will feature prominentlyrely on social engineering. Ultimately, the in search results by using Black Hat SEOuser is tricked into running the fake antivirus techniques8. These poisoned results willinstaller executable in a way similar to redirect users to a fake antivirus-controlledmany other types of Trojans. Fake antivirus website that displays a fake scanningauthors have used a huge range of different page, informing them that their computersocial engineering tricks and are continuing is infected and they must download ato come up with new ones all the time. program to clean it up. Alternatively, a fake movie download page may be displayed,In this paper, we review several main where users are prompted to downloadsources of fake antivirus infection: a codec in order to view the movie. ThisÌ Search engine optimization poisoning codec is in fact a fake antivirus installer.Ì Email spam campaigns Google Trends is a service provided byÌ Compromised websites Google that highlights popular search and exploit payloads terms entered into its search engine. Here is an example of how searchÌ Fake antivirus downloads terms taken from Google Trends are by other malware poisoned by fake antivirus authors. Let’s do a search for pages containing terms from Hot Searches (see fig.9).Fig.9A Sophos White Paper - September 2011 5
  6. 6. Stopping Fake Antivirus: How to keep scareware off your networkPicking several of the terms and Or, users are taken to a fake movieperforming a search for them will produce download page where they are toldseveral poisoned results (see fig.10). they need to download a codec to view the movie (see fig.14, 15).Clicking on these links takes usersto a fake scanning page, where they In each case, users are tricked intoare told they have multiple infections downloading and running an unknownand need to download a program to executable, which is the fake antivirus installer.remove the threats (see fig.11-13).Fig.10 Fig.13Fig.11 Fig.14Fig.12 Fig.15A Sophos White Paper - September 2011 6
  7. 7. Stopping Fake Antivirus: How to keep scareware off your networkSpam campaigns Ì Ecard scams: An email is receivedFake antivirus is often sent directly to purporting to be from a legitimatethe victim as an attachment or as a link ecard company. In fact, a fake antivirusin a spam message. The message is installer is attached (see fig.17).predominantly sent through email, but other Ì Password reset scams: Victims receiveforms of spam have also been observed a message supposedly from a popularto deliver fake antivirus, such as instant website, informing them that theirmessaging applications including Google password has been reset and the newTalk10. The spam message itself usually uses one is in the attached file (see fig.18).social engineering techniques to trick usersinto running the attached file or clicking on Ì Package delivery scam: Details ofthe link. Specific campaigns vary and include a (fictitious) recent postal deliverypassword reset, failed delivery message are included in an attached file. Inand “You have received an ecard” scams. reality, the attachment will install fake antivirus (see fig.19).Examples of email spam campaignsspreading fake antivirus include:Ì Account suspension scams: Victims receive an email message suggesting access to a specific account has been terminated and they need to run the attached file to fix the issue (see fig.16).Fig.16 Fig.18Fig.17 Fig.19A Sophos White Paper - September 2011 7
  8. 8. Stopping Fake Antivirus: How to keep scareware off your networkCompromised websites Fake antivirus downloadsand exploit payloads by other malwareUsers can sometimes be sent to fake Fake antivirus can be downloaded ontoantivirus websites by browsing legitimate a machine by other types of malware.websites that have been compromised, SophosLabs maintains many honeypotwhere malicious code has been injected machines that are seeded with differentinto the page. This can be achieved by malware, in order to observe their behaviorpenetrating the target website’s hosting and ensure protection is maintained whenserver and appending (typically) JavaScript new variants are downloaded. We have seento HTML pages hosted there. This redirect several families install fake antivirus ontocode can be used to send the browser an infected machine, most notably TDSS,to any type of malware hosting page Virtumundo and Waled14. The infamousincluding exploit kits and fake antivirus. This Conficker worm was also observed to installJavaScript code is almost always heavily fake antivirus onto infected computers15.obfuscated, and Sophos detects this type In this way, a hacker that has infectedof malware as variants of Troj/JSRedir11. a computer with TDSS or Virtumundo can extract more money from victims bySophosLabs has also seen hackers forcing them to pay for fake antivirus.compromise legitimate web-basedadvertising feeds to ensure that malicious In addition a pay-per-install model existscode is loaded instead. This may take the where hackers are paid to infect users’form of an exploit that downloads and computers. In this system, a hackerexecutes a fake antivirus binary as the controls a victim’s computer (usingpayload or a simple iframe that redirects the TDSS or similar), and is paid by the fakebrowser to a fake antivirus web page12, 13. antivirus producer to install the fake antivirus on the infected computer.A Sophos White Paper - September 2011 8
  9. 9. Stopping Fake Antivirus: How to keep scareware off your networkFake antivirus families A run key entry is then created in theWe now explain in more detail the registry that will run the file when thebehavior of fake antivirus once it has system starts up. Typically, this willmade its way onto a target system. be added to one of the following: Ì HKCUSoftwareMicrosoftWindowsRegistry installation CurrentVersionRunOnceFake antivirus’s typical behavior is to copythe installer to another location on the Ì HKCUSoftwareMicrosoftsystem and create a registry entry that will WindowsCurrentVersionRunrun the executable on system startup. Ì HKLMSoftwareMicrosoft WindowsCurrentVersionRunThe installer is often copied into theuser’s profile area (e.g., C:Documents Examples:and Settings<user>Local SettingsApplication Data), or into the temporary HKLMSOFTWAREMicrosoftWindowsfiles area (e.g., c:windowstemp) with CurrentVersionRunwpkarufva randomly generated file name. Thismakes the fake antivirus UAC-compliant c:documents and settings<user>on Windows machines that have UAC16 local settingsapplication dataenabled, thus avoiding a UAC warning tqaxywiclchgutertssd.exepopping up during installation. However,some families still do not care about HKCUSoftwareMicrosoftWindowsUAC and still create their files in the CurrentVersionRunOnceCUAProgram Files or Windows folders. c:windowstempsample.exe HKLMSOFTWAREMicrosoftWindows CurrentVersionRun85357230 c:documents and settingsall users application data8535723085357230.exeA Sophos White Paper - September 2011 9
  10. 10. Stopping Fake Antivirus: How to keep scareware off your networkInitiate a fake scanOnce fake antivirus is installed, it willusually attempt to contact a remotewebsite over HTTP and will often downloadthe main component. This will initiatea fake system scan, where many non-existent threats will be discovered. Themain fake antivirus window is often veryprofessionally created and victims caneasily be convinced that they are using agenuine security product (see fig.20-25). Fig.22 Fig.23Fig.20 Fig.24Fig.21 Fig.25A Sophos White Paper - September 2011 10
  11. 11. Stopping Fake Antivirus: How to keep scareware off your networkOnce the fake threats have been discovered,users are told they must register or activatethe product in order to clean up the threats.Users are taken to a registration website(either through a browser or throughthe fake antivirus application), wherethey are asked to enter their credit cardnumber and other registration details.These pages are also very convincing,occasionally featuring illegal use of logosand trademarks from industry-recognized Fig.28organizations such as Virus Bulletin17and West Coast Labs18 (see fig.26-31). Fig.29Fig.26 Fig.30Fig.27 Fig.31A Sophos White Paper - September 2011 11
  12. 12. Stopping Fake Antivirus: How to keep scareware off your networkOther fake antivirus behavior Ì Installation of more malware:Certain fake antivirus families cause Fake antivirus has been known tofurther distress to the victim by interfering download other types of malwarewith normal system activity. Commonly, upon installation, such as bankingthis includes disabling the Task Manager Trojans, rootkits and spam bots.and use of the Registry Editor, prohibiting Prevent and protectcertain processes from running and even There are many ways to stop fakeredirecting web requests. This behavior antivirus—on the web, in email, and in yourfurther convinces the user that there is endpoint security. Malware is complex, anda problem on the system and increases protecting the corporate IT environmentthe likelihood of a purchase being made. is a full-time job. Antivirus software isThis extra activity can take the form of: just the beginning. A solid defense isÌ Process termination: Certain programs needed to reduce the risk to your business are prohibited from running by the fake by protecting all routes of attack. antivirus, with a warning message being displayed instead (see fig. 32, 33). The most effective defense against the fake antivirus threat is a comprehensive, layered The fake antivirus will generally allow security solution. Detection can and should Explorer and Internet Explorer to run, so take place at each stage of the infection. renaming an executable as explorer.exe or iexplore.exe should allow it to be run. Ì Reduce the attack surfaceÌ Web page redirection: Some fake Ì Protect everywhere antivirus families will redirect web Ì Stop the attack requests for legitimate websites to an error message or other type of warning Ì Keep people working message. This adds to the user’s fear Ì Educate users and, again, makes the user more likely to pay for the fake antivirus (see fig.34).Fig.32Fig.33 Fig.34A Sophos White Paper - September 2011 12
  13. 13. Stopping Fake Antivirus: How to keep scareware off your networkHere’s how you can create this updated downloads, or to send backtype of layered defense: a victim’s credit card information.Reduce the attack surface – To reduce Stop the attack – Stopping the attack involvesthe attack surface, Sophos filters URLs your anti-malware software, ongoing updatingand blocks spam to prevent fake antivirus and patching efforts, and run-time detection.from reaching users. By blocking the To proactively detect the fake antivirus file,domains and URLs from which fake our Sophos antivirus agent delivers completeantivirus is downloaded, the infection protection, plus low-impact scans thatcan be prevented from ever happening. detect malware, adware, suspicious filesSophos customers are protected by URL and behavior, and unauthorized software.filtering in Sophos Web Security and Using Behavioral Genotype technology,Control19 and the latest endpoint security many thousands of fake antivirus filesproduct. Sophos Email Security and Data can be detected with a single identity. TheProtection blocks spam containing fake number of samples currently detected asantivirus before a user even sees it20. variants of Mal/FakeAV and Mal/FakeAle is well in excess of half a million.Protect everywhere – But, protectionneeds to go further, and Sophos does Of course, updating and patching are alsothis with endpoint web protection, live important to keep anti-malware software upprotection and firewall protection. Sophos to date, and apply at all levels of protection.Endpoint Security and Control detects Antivirus software must be kept up toweb-based content, including the detection date using automatic updating to ensureof the JavaScript and HTML used on that the latest protection is provided atfake antivirus and fake codec web pages. all times. Other software such as theDetection at this layer prevents the fake operating system and commonly usedantivirus files from being downloaded applications, for example Adobe Reader,(e.g., Mal/FakeAVJs, Mal/VidHtml). should be patched to ensure that they do not introduce security weaknesses. StaticIn addition, Sophos Live Protection enables defenses are not going to keep up withthe Sophos Endpoint Security and Control the new variations, attacks change all theproduct to query SophosLabs directly time. So, it is important to allow updateswhen it encounters a suspicious file in and apply patches as they are received.order to determine whether the file isfake antivirus, or any other malware. Run-time detection is important becauseThis enables the automatic blocking of if a fake antivirus executable manages tonew and emerging malware outbreaks evade the other layers of protection, thein real time, before the malware has a Sophos Host Intrusion Prevention Systemchance to run. This immediate access (HIPS) can detect and block the behaviorlets you close the window between the of the fake antivirus sample when it triestime SophosLabs finds out about an to execute on the system21. HIPS includesattack and when users are protected. rules that specifically target fake antivirus. Essentially, if the program sees the fakeFirewall protection means that the antivirus software doing anything dangerous,Sophos Client Firewall can be configured it will shut the software down—a blockingto block outgoing connections from move by another layer of protection.unknown programs to prevent fakeantivirus from “calling home” to receiveA Sophos White Paper - September 2011 13
  14. 14. Stopping Fake Antivirus: How to keep scareware off your networkKeep people working – Your users don’t Users should know not to click on anythingreally care too much about any of this. suspicious. But, they should also beThey just want to get their work done. reminded that the IT department takes careThat’s why Sophos provides IT staff with of antivirus protection for their computers. Ifvisibility into fake antivirus detection, sends they are concerned about antivirus, or havealerts to let you know when malware has strange messages popping up, they shouldbeen stopped, and removes the malware contact IT and not try to sort it out forfrom your users’ computers. You can themselves. It’s also important to religiouslychoose a configuration that lets users refuse any anti-malware software whichget these notifications, or shows these offers a free scan but forces you to pay formessages only to the security team. cleanup. Reputable brands don’t do this—an antivirus evaluation should let you try outEducate users – User education is an detection and disinfection before you buy.important part of the defense as well.Stopping Fake Anti-VirusComplete protection against a rampant threat e Pro fac ur tec ks t ev ac er t at yw ce he du URL Filtering Endpoint Web re Re Protection Educate Users Web Application Live Protection Firewall Complete Security Clean up Anti-malware es ch Ke ea ep br pe Visibility Patch Manager d le op an wo ks rk i tt ac ng pa S toFig.35A Sophos White Paper - September 2011 14
  15. 15. Stopping Fake Antivirus: How to keep scareware off your networkHere are three additional tips of conditions. For example, malwareto help protect Mac users: on a USB key would go unnoticed, as would malware already on your Mac.Ì If you use Safari, turn off the open And it only updates once in 24 hours, “safe” files after downloading option. which probably isn’t enough anymore. This stops files such as the ZIP- based installers favored by scareware Ì Install genuine antivirus software. authors from running automatically Ironically, the Apple App Store is if you accidentally click their links. a bad place to look—any antivirus sold via the App Store is required byÌ Don’t rely on Apple’s built-in XProtect Apple’s rules to exclude the kernel- malware detector. It’s better than nothing, based filtering component (known but it only detects viruses using basic as a real-time or on-access scanner) techniques, and under a limited set needed for reliable virus prevention.ConclusionFake antivirus is still a prevalent threat, it is a persistentproblem and the financial benefits for cybercriminals meansthat fake antivirus will not go away.Fake antivirus is already distributed through a large numberof sources. The variety and inventiveness of its distributionwill only increase.Fortunately, users can protect themselves through acomprehensive and layered security solution that detects anddefends against fake antivirus at every possible level.A Sophos White Paper - September 2011 15
  16. 16. Stopping Fake Antivirus: How to keep scareware off your networkReferences 12. “New York Times pwned to serve scareware pop-ups”1. “The Partnerka – What is it, and why should you care?” The Register, Sophos technical paper, nyt_scareware_ad_hack/ security/technical-papers/samosseiko-vb2009-paper. 13. “Scareware Traversing the World via a Web App Exploit” html SANS Institute InfoSec Reading Room, http://www.sans.2. “Fake antivirus Uses False ‘Microsoft Security Updates’” org/reading_room/whitepapers/incident/scareware- SophosLabs blog, traversing-world-web-app-exploit_33333 sophoslabs/?p=8564 14. “Mal/TDSS-A” Sophos security analysis, http://www.3. “Free fake antivirus at Virus-Total (That’s not VirusTotal)” SophosLabs blog, maltdssa.html sophoslabs/?p=8885 “Troj/Virtum-Gen” Sophos security analysis, http://www. “Phantom app risk used to bait scareware trap” The trojvirtumgen.html Register, “Mal/WaledPak-A” Sophos security analysis, http://www. facebook_scareware_scam “Scareware scammers exploit 9/11” Sophos blog, http:// malwaledpaka.html 15. “Conficker zombies celebrate ‘activation’ anniversary” scammers-exploit-911 The Register, “Fake antivirus Generates Own Fake Malware” conficker_anniversary/ SophosLabs blog, 16. “User Account Control Step-by-Step Guide” Microsoft sophoslabs/?p=6377 TechNet, “Mal/FakeVirPk-A” Sophos security analysis, http://www. cc709691(WS.10).aspx 17. Virus Bulletin malfakevirpka.html 18. West Coast Labs “Poisoned search results: How hackers have automated search engine poisoning attacks to distribute malware” 19. Sophos Web Security and Control http://www.sophos. SophosLabs technical paper, com/products/enterprise/web/security-and-control/ sophos/docs/eng/papers/sophos-seo-insights.pdf 20. Sophos Email Security and Data Protection http://www.9. Google Trends control/10. “Google Talk used to distribute Fake AV” Sophos blog, 21. Sophos HIPS google-talk-distribute-fake-av/ sophoslabs/sophos-hips/index.html11. “More fake AV SEO poisoning” SophosLabs blog, http:// Kingdom Sales: North American Sales:Tel: +44 (0)8447 671131 Toll Free: 1-866-866-2802Email: Email: nasales@sophos.comBoston, USA | Oxford, UK© Copyright 2011. Sophos Limited All rights reserved.All trademarks are the property of their respective owners.Sophos White Paper 9/11.dNA