My next class:

Why is Rogue/Fake AV so successful?

Published: 2009-09-17. Last Updated: 2009-09-17 07:36:18 UTC
by Bojan Zdrnja (Version: 1)
14 comment(s)

Rogue AV programs have become increasingly common in last two years. We at the SANS Internet Storm Center get messages from our readers about new rogue AV sites daily.

It is obvious that the bad guys are making (serious?) money with this scamming scheme. There are couple of things interesting about rogue AV programs. First, the bad guys here do not use (in most cases) any sophisticated attacks on clients. They instead rely on visitors to wittingly install their "AV program". How do they do this? Through social engineering – they create web pages which are very authentic copy of legitimate screens in Windows operating systems. These web pages make visitors believe that their machine is infected with several malicious programs and that the offered "AV program" can help them clean it.

Once the rogue AV program is installed, the victim has to pay money to get it "working" or, in some cases to even uninstall it. So, the money making scheme is simple (some rogue AV versions even steal local data and install keyloggers).
In order to get people to visit their web sites serving rogue AV programs, the attackers use different vectors – they even follow news as only couple of hours after Patrick Swayze's death search engines were filled with bogus pages pointing to rogue AV programs.

The main reason, however, why rogue AV is so successful is its persistence and amount of details - the web page they use to scare the visitor looks almost exactly like Windows' Security Center. One such page is shown below:

Rogue AV

I was, of course, interested to see what else they do so I decided to analyze the code behind. First of all, I must say that the code is very elegant and clean, it's obvious that the bad guys got a real programmer to code the page (and malware?) for them.

The web page uses JQuery, a well known and popular JavaScript library. After setting up the environment, the JavaScript code on the web page shows a fake scan of the machine with seemingly random file names. The file names are actually grabbed from a huge array contained in a separate file (flist.js). The file names in this array (there is 1100 of them) are actually copied from a Windows XP machine (C:WindowsSystem32 directory). This, of course, increases the authenticity of the scan.

After the scan finishes, the user is informed that the machine is infected with viruses. The JavaScript code on the web page initially set up some handlers, so no matter what the user does next he will see a window notifying him that his machine is infected (interesting, the attackers used JavaScript confirm() method to display this message).

Rogue AV warning

Of course, this wasn't generated by Windows – it's actually just an image the attackers created. The "Remove all" and "Cancel" also aren't real buttons, just part of the image which has a handler that will get executed wherever the user clicks. You guess, on a click it will try to download the Rogue AV program. To eliminate any confusion, they also show this nice window where they explain what exactly needs to be done in order to install their rogue AV program.

Rogue AV run info

It is now not strange that rogue AV programs are infecting so many machines. The devil is in the details, and the attackers made damn sure that all details are here to fool the potential victims.

--
Bojan
 

Keywords: antivirus fake rogue
14 comment(s)
My next class:

Comments

most home users are so braindead around the computer that they need an IT professional holding their hand... it's that plain and simple.
Part of the problem is that people in IT are lucky. To do our jobs we need to know how a computer works. People in other businesses need to know how to do their job AND know how a computer works.
Guessing RJX does not work in IT. Yeah your point may be right we get to "just" know computers but part of your job is to know computers too but you still slack at it so the above Fake AV still happens and very often since normal users are like joeblow said too braindead.

Just so you know I don't "just know computers" I am a Information Security Specialist and I know a lot more than computers. I also have to know vulnerabilities, how to exploit those vulnerabilities, how to fix those vulnerabilities, Networking, different OS's, and how to keep normal users from screwing the entire company over.
Guessing RJX does not work in IT. Yeah your point may be right we get to "just" know computers but part of your job is to know computers too but you still slack at it so the above Fake AV still happens and very often since normal users are like joeblow said too braindead.

Just so you know I don't "just know computers" I am a Information Security Specialist and I know a lot more than computers. I also have to know vulnerabilities, how to exploit those vulnerabilities, how to fix those vulnerabilities, Networking, different OS's, and how to keep normal users from screwing the entire company over.
Sorry screen refreshed.
One must be more concerned when the security solution they use is from HIGHLY REACTIVE and sleeping vendor, here is the detection when last sample was submitted ONLY 4 OUT OF 41 and the vendor is still analyzing ļ
https://www.virustotal.com/analisis/5a0022f6e17b10622d45f8ba85616be27264987e7750b868ab532c5a660cf31f-1253129224
No only do we have to know computer and all the software that is running on them. We also have to know how to remove these fakes once they do get installed. I have had 2 stations so far and both users had no clue as to how they got there.
"LAWL" at the "we know computer" people.

In reality, the problem is the culture of antivirus and window security, in general. The market has conditioned the users into believing that "secure" means "secure" - when in fact, most security products are about as security related as the "ENCRYPTED/Secure Site" graphic in the bogus page sample, above. In a world where snake-oil abounds... statistically, this "fake" av product is only slightly less effective than most "legit" ones. Q.v. the virustotal comment above, lmao - and both the "fake" and "legit" have the same goal, and same technique - get the sucker's money, and make them "feel good".
I've often thought that what lends credence to these fake sites is that IE and Windows Explorer are so closely related. If you're in Firefox/Safari/Chrome/Opera it's more clear that the page wasn't created by Windows, and you're looking at web page.

I'd be curious to see the web browser statistics on these sites.
The new fake antivirus programs tend to be harder to remove, and leave some security holes even after you take them out.

Some new ones that have shown up since yesterday at about noon (EDT) also attempt to load a proxy and I assume a data grab tool as well.

The way these things are written it seems they time out on some machines after they reconfigure the network layer and do not re-enable the LAN adapter. Of course, if finding 3 that failed to do this, chances are there are a lot more that succeeded.

Hold on.. rough ride ahead! -Al

Diary Archives