FAKEAV The Growing Problem

Transcription

1 FAKEAV The Growing Problem July 2010 Attack Symptoms Slow computer performance New desktop shortcuts or switched homepage Annoying pop-ups Blue screens Reboot of computer Adult sites Memory issues Getting Started An Introduction to Rogue Antivirus Over the years, malware makers have grown increasingly clever and one of their most innovative inventions to-date is rogue, or fake, antivirus software. Like many of today s threats, rogue antivirus leverages social engineering to capture users attention and make threats believable. Some scams attempt to steal from users directly by convincing them to download, install, and then pay for fake software. Others deliver a payload of malicious routines or installers that leave additional malware on the infected system. Also, unlike most threats, rogue antivirus software displays a visual element to the targeted user. After unsuspecting users pay for the rogue antivirus program, the malware actually simulates removal of imaginary threats, convincing users it is actually doing its job. In reality, the only infection the user contracts is the rogue antivirus program itself! Fake infection warnings deceive users into believing computers are infected and then protected preying on consumer and IT security fears. Rogue antivirus is a growing problem that affects both home and business users. According to the Anti-Phishing Working Group (APWG), the number of rogue antivirus software in circulation rose from 2,850 to 9,287 in the second half of In the first half of 2009, APWG identified a 583 percent increase in rogue antivirus programs. 1 Google claims that 15 percent of all malicious software on the Internet is fake antivirus. 2 As the rogue antivirus problem grows increasingly prevalent users need to learn more about this growing threat to prevent infection. For this reason, Trend Micro has created the following Threat Brief to describe the nature and symptoms of rogue antivirus and to provide some strategies to protect both consumer PCs and business systems. What to Watch For Rogue antivirus software relies on social engineering to defeat the security built into operating system and browser software to install itself onto victims computers. The challenge for security organizations lies in blocking the many existing variants of this malware. Some rogue antivirus is installed via driveby-download in which innocent users surf the Internet, land on an infected site or HTML page, and then unknowingly download the rogue antivirus software. The malware exploits software vulnerabilities such as pdf, swf, and sql injection to enter the user s system, thus installing without manual intervention. Rogue antivirus can also spread through search engine poisoning. Infected URLs within news event search engine results may be redirected through several sites before users are presented with a page informing them of the infection and suggesting they download a free trial of rogue antivirus. For example, the following keywords led to poisoned

2 Google search results for the Kids Choice Awards in March this year: Kids Choice Awards 2010 Live, Kids Choice Awards 2010 Performances, and other similar keyword phrases. Cybercriminals also use spam with embedded attachments to entice users to download fake antivirus software. For example, last fall Trend Micro researchers found spammed messages with a.zip file attachment containing rogue antivirus malware. The spam subject was titled, Contract of Settlements, and claimed to come from LSM Company. It requested users open and check the attached contract, which was actually a Trojan. When executed on the system, the Trojan connected to a website where users received an additional FAKEAV variant. The attachment was password-protected, so many virus scanners failed to scan the attachment. The password was included in the probably to trick users into thinking the file was legitimate. Unsuspecting users also encounter fake antivirus while surfing the Internet for legitimate antivirus or antispyware programs, as fake sites can show up in legitimate search results. For example, the so-called XP Antivirus, Antivirus 360, and Antivirus 2010 all fake products can be freely downloaded from innocent-looking websites. Once Antivirus 2010 is installed, it tricks users into buying the full version. The rogue antivirus application issues fake system warnings and identifies harmless files as dangerous. Antivirus 2010 has also been known to crash computers and display scary blue screen messages warning that spyware has been detected in order to persuade users to activate the program. Figure 1: Antivirus 360 example of convincing rogue antivirus web page Trojans are commonly used to mislead users into installing rogue antivirus and are often disguised as browser plug-ins or extensions, images or file attachments, fake codecs, or free online malware scanning services. Social networking sites such as Twitter and Facebook have also become unwilling rogue antivirus sources, thanks to the KOOBFACE botnet s dedicated FAKEAV installer component. Figure 2: The pop-up window displayed by malvertisements on NYTimes.com Some malicious advertisements in compromised websites have led to rogue antivirus installations. For example, The New York Times recently issued warnings to its readers, through both Twitter and its website, about malicious advertisements also known as malvertisements that triggered a malicious pop-up window, which displayed a fake antivirus warning indicating the user was suffering from some sort of infection. Users were of course directed to purchase a full version of the fake program. The reported infections did not exist and cybercriminals created the alarming messages in order to convince users to divulge important information, such as credit card details. Rogue antivirus links have even been spotted in the sponsored site listings of several, popular search engines. Last year, Trend Micro threat researchers were alerted to malicious search engine ads that appeared in Microsoft s Bing and AltaVista when users searched for the legitimate antivirus product malwarebytes. Clicking the malicious URL pointed users to an executable file named MalwareRemovalBot.exe-1. Upon execution, the rogue antivirus displayed false information that systems were infected with non-existent files. Open computer ports are an additional infection source. If users run applications with file-sharing functions such as AOL Instant Messenger (AIM), MSN Messenger, or peer-to-peer (P2P) file sharing, computers may be exposed to vulnerabilities that allow attackers to remotely access computers in order to plant rogue antivirus software on another system.

3 The Link to Cyber Crime At the root of rogue antivirus scams are cybercriminals out to make money at the expense of consumers and companies. Typically these criminals are not directly involved in the scam. Instead they distribute the rogue antivirus and other malware through affiliates who then employ hackers who use Trojan software development kits (SDKs) to create rogue antivirus scams. Hundreds of affiliates exist in Russia, the Ukraine, Estonia, and elsewhere in Eastern Europe. These affiliates are then paid a fee for every successful rogue antivirus installation. This pay-per-install model can be very lucrative. According to an article in the Washington Post, affiliates have earned as much as $330,000 per month in commissions. 3 Behind the affiliate network is a criminal organization that distributes tasks and responsibilities amongst a wide network, increasing their ability to touch consumers. These networks also serve to distance the criminal organizations, or brains of the operation, from the day-to-day work and the chance of being found liable for the crime. How do these criminals get away with these crimes and how do they make so much money? The success of rogue antivirus campaigns lies mainly in lack of awareness. Although rogue antivirus is well-known amongst security researchers and IT staff, users remain largely unaware of the problem s magnitude. In Trend Micro s recent study of 400 corporate computer end-users, rogue antivirus scored the lowest awareness rating overall for all computer security threats. 4 Protecting Against Rogue Antivirus Attack Symptoms In order to protect against the dangers of rogue antivirus, it is important to be able to identify the symptoms a system might display if infected. These symptoms may include the following: Slow computer performance: PCs that take much longer to reboot than usual or machines with an unusually slow Internet connection may be infected. New desktop shortcuts or switched homepage: Some rogue antivirus change Internet settings to redirect a user s homepage to a different site or add new desktop shortcuts or change a PC s wallpaper. Annoying pop-ups: Many rogue antivirus applications bombard PCs with annoying pop-up messages even when offline, trying to convince users to buy the fake antivirus software to stop a supposed attack. The messages may also suggest updating or installing components, exposing the machine to more malware. Blue screens: Rogue antivirus may display the infamous Blue Screen of Death and then generate a fake startup image telling users to buy the software. The registry may also be modified so the software runs at system startup. Reboot of computer: Some fake antivirus applications reboot users computers, automatically downloading software from links. Adult sites: Rogue antivirus has been known to flood the system with adult site URLs. Memory issues: Some computers experience secondary memory or boot sector corrupts, which prevent further booting of computers. Preventive Measures Educate users: The best way to prevent rogue antivirus from infiltrating home or business PCs is through education. To control security risks in a business setting, the IT department should set clear policies on PC and mobile device usage and should control the information accessed with these devices. Users should avoid visiting unknown sites and should never open attachments or click on links contained in messages from unknown senders. Also, they should not download or install unknown software. Some companies also ban using unnecessary protocols within the corporate network, such as P2P and IRC. Understand the latest trends and threats: Teach users about emerging threats and their consequences, emphasizing business-specific outcomes (e.g., lost customers and regulatory fines). Popular malware tend to prey on unsuspecting users, abusing their innocence about common applications or safe computing behavior. Users should know and understand which security products are installed on their systems. Any software that presents itself as antivirus, installed without involvement by the user or network administrator, may be a suspected rogue antivirus application. Always patch software: Enable the Automatic Update feature in operating systems, web browsers, and applications and ensure all operating systems and other software applications are up-todate with the most recent security patches. Also deploy vulnerability scanning software on PCs and networks. Disable JavaScript on Acrobat Reader: Some vulnerabilities exist in the JavaScript function of the Adobe Acrobat Reader. For better protection, disable JavaScript. To do this, click on Edit -> Preferences -> JavaScript and uncheck Enable Acrobat JavaScript.

4 Trend Micro Solutions to Combat Rogue AV Trend Micro Free Prevention and Clean-up Tools help prevent rogue antivirus infections. ID Easily identify messages from legitimate senders. Trend Micro ID helps users avoid opening and acting on phishing messages attempting to spoof real companies. Web Protection Add-on Proactively protect computers from web threats and bot-related activity. Trend Micro Web Protection Add- On works on the desktop alongside existing desktop protection solutions. HouseCall If a PC seems infected, users can immediately run a free HouseCall scan. HouseCall scans PCs for a wide range of Internet security threats including viruses, worms, Trojans, and spyware. HouseCall identifies and fixes vulnerabilities to help prevent re-infection. Browser Guard 2010 Proactively protect browsers against new web threats. Browser Guard 2010 provides zero-day vulnerability prevention and protects against malicious JavaScript. Trend Micro Titanium Combining easy-to-use security with cloud-client technologies Trend Micro Titanium blocks threats such as infected websites, phishing attacks, viruses and spyware before they can reach a users computer. State-of-the-art protection for users data is delivered while ensuring that computer performance is not impacted. Light on system resources so PCs run faster Designed to be easy-to-use and understand with simple screens and graphical reports. Uses less than half the disk space and memory of other security products. Worry-Free Business Security Specifically designed for small businesses, Trend Micro provides comprehensive, multi layer protection against rogue antivirus software through the Worry-Free Business Security (WFBS) solution suite. WFBS protects against threats from the web, , instant messaging, and files all the vectors Fake AV employs to spread and infect unsuspecting users systems. WFBS offers the following layers of protection: Web Threat Protection stops threats from the web before they can reach the business by preventing access to infected websites. Real-time Scanning and Damage Cleanup Services detects and removes file system threats, killing rogue antivirus software processes and repairing system files that have been maliciously modified. Behavior Monitoring protects clients from unauthorized changes to the operating system, registry entries, applications, files, and folders. Personal Firewall restricts information that travels from one system to another, providing control over the types of data transferred and acting as a first-line defense. The Smart Protection Network The Smart Protection Network provides a new, smarter approach to security with a security protection infrastructure that improves the overall quality of protection. The Smart Protection Network is at the core of Worry-Free Business Security 6.0. Web Threat Protection and Reputation stop threats, spam, and other threats before they reach computers. Reputation technologies stop up to 99 percent of spam before it reaches mail servers. With Smart Scan most client security technologies are stored on a local security server rather than on each computer. Benefits include more frequent updates (checked hourly) and less pattern file information on computers, which maximizes performance. Smart Feedback automatically leverages threat information from Trend Micro users to enable faster identification of and protection against the latest threats. Trend Micro Enterprise Security Trend Micro Enterprise Security is a tightly integrated offering of content security products, services, and solutions powered by the innovative, in-the-cloud Trend Micro Smart Protection Network. Optimized to deliver immediate protection, Trend Micro Enterprise Security also dramatically reduces the cost and complexity of security management. For further information on Enterprise Security visit:

5 Conclusion The threat of rogue antivirus software grows daily and shows no signs of stopping. Luckily, Trend Micro provides several protection options for both consumers and businesses. In addition to educating users and staying on top of the latest trends in information security, both businesses and consumers are advised to keep software patched and to disable JavaScript on Adobe Reader. By continually monitoring new rogue antivirus software variants, Trend Micro provides a comprehensive suite of technology solutions, including a complete, multi-layered protection strategy that helps stop rogue antivirus before it can wreak havoc on computer systems. Endnotes 1 Phishing Activity Trends Report 1 st Half 2009, APWG web site, June 2009, reports/apwg_report_h1_2009.pdf 2 Alejandro Martínez-Cabrera, Kim Ryan, Google warns of fake anti-virus programs popping up online, San Francisco Chronicle, April 17, 2010, c/a/2010/04/17/bui71cvv5p.dtl 3 Brian Krebs, Massive Profits Fueling Rogue Antivirus Market, Washington Post, March 19, 2009, voices.washingtonpost.com/securityfix/2009/03/ obscene_profits_fuel_rogue_ant.html 4 Corporate End Users Web Threats Study, InsightExpress research study, March About Trend Micro Trend Micro Incorporated, a global leader in Internet content security, focuses on securing the exchange of digital information for businesses and consumers. A pioneer and industry vanguard, Trend Micro is advancing integrated threat management technology to protect operational continuity, personal information, and property from malware, spam, data leaks and the newest Web threats. Visit TrendWatch at to learn more about the latest threats. Trend Micro s flexible solutions, available in multiple form factors, are supported 24/7 by threat intelligence experts around the globe. Many of these solutions are powered by the Trend Micro Smart Protection Network infrastructure, a next-generation cloud-client innovation that combines sophisticated cloudbased reputation technology, feedback loops, and the expertise of TrendLabs SM researchers to deliver real-time protection from emerging threats. A transnational company, with headquarters in Tokyo, Trend Micro s trusted security solutions are sold through its business partners worldwide. Please visit July 2010 Trend Micro Inc N. De Anza Blvd. Cupertino, CA, 95014, USA Toll free: Phone: Fax: by Trend Micro Incorporated. All rights reserved. Trend Micro, the Trend Micro t-ball logo, InterScan, NeatSuite, OfficeScan, Trend Micro Internet Security, VirusWall, WebProtect, and TrendLabs are trademarks or registered trademarks of Trend Micro Incorporated. All other company and/or product names may be trademarks or registered trademarks of their owners. Information contained in this document is subject to change without notice.