Fake Anti Virus via Social Means

Tuesday, July 26, 2011 @ 03:07 PM gHale

With social media becoming a stronger element in the manufacturing automation sector, users should be on the lookout for a very complex and efficient fake anti virus attack targeting Facebook users.

It starts with a “friend” contacting a Facebook friend via the social network’s chat feature. “Hi. How are you? It is you on the video? Want to see?” asks the “friend” and offers a link to a YouTube page.

Smart Trojan Hides as Java Update
Stolen Certificates: True Attacker Booty
Cybercrime Motto: Knowledge Means Profit
Over 286 Million New Cyber Threats in ‘10

The user, intrigued, follows the link, and sees that the video (with his name in the title) has comments on it — positively and negatively — by a bunch of his Facebook friends. But, he can’t see it. The note says, “You need to upgrade your Adobe Flash Player.” The note appears over the blank space where the video should be.

And the comments indicate that following the download link is safe. Unfortunately, it is not. The downloaded file is Trojan.FakeAV.LVT.

“It copies itself as %windir%\services32.exe and as %windir%\update.X\svchost.exe, where update is a hidden directory and X is the version of the malware,” said BitDefender’s Loredana Botezatu. “After that, it adds a registry key in %SYSTEM% and the malicious code is added thus to the list of authorized applications for the firewall or it disables the firewall altogether. Then it proceeds to disabling all notifications generated by the firewall, the update module and whatever anti virus it finds installed on the PC.”

But this piece of malware is not your typical fake anti virus solution with a bogus name. This one has the ability to detect which legitimate anti virus solution the user has installed on his computer and to display personalized warning message windows that mimic the ones this legitimate solution would present.

Of course, it “finds” a virus on the system, and asks the user to reboot the computer so that it can clean it up.

Unfortunately for the users, the reboot triggers an unwelcome series of events: The system boots in safe mode, which allows the malware to start and uninstall the legitimate anti virus solution, and then the system reboots once again, this time in normal mode.

But that’s not the end of it. This unprotected system is now ready for a downloader component integrated in the Trojan to begin misusing the system. The component downloads further malware from an array of URLs, depending on the OS running on the computer.

“The malware contains a hardcoded list of IPs, as well,” Botezatu said. “These are the IPs of other infected systems which will be used at exchanging malware between them, creating a fully-fledged malware distribution system with peer-to-peer update capabilities. These IP lists are changed regularly and so infected systems are always in contact and constantly exchanging malicious code.”

Leave a Reply

You must be logged in to post a comment.