McAfee Labs Combating Fake Alert infections. - Amith Prakash, Global Threat Response



Similar documents
F-Secure Anti-Virus for Mac 2015

Corporate Account Takeover & Information Security Awareness. Customer Training

F-Secure Anti-Virus for Mac. User's Guide

Net Protector Admin Console

Spyware Doctor Enterprise Technical Data Sheet

How to easily clean an infected computer (Malware Removal Guide)

Cox Business Premium Security Service FAQs

Malware, Spyware, Adware, Viruses. Gracie White, Scott Black Information Technology Services

Countermeasures against Spyware

Sophos Endpoint Security and Control Help

Microsoft Security Essentials Installation and Configuration Guide

User Guide for the Identity Shield

Frequent Smart Updates: Used to detect and guard against new infections as well as adding enhancements to Spyware Doctor.

Information Security Awareness

FAKE ANTIVIRUS MALWARE This information has come from - a very useful resource if you are having computer issues.

ANDRA ZAHARIA MARCOM MANAGER

TRAINING FOR AMERICAN MOMENTUM BANK CLIENTS. Corporate Account Takeover & Information Security Awareness

Frequently Asked Questions: Xplornet Internet Security Suite

How to Configure Sophos Anti-Virus for Home Systems

The information contained in this session may contain privileged and confidential information. This presentation is for information purposes only.

Sophos Endpoint Security and Control Help. Product version: 11

NewNet 66 Network Security

Contact details For contacting ENISA or for general enquiries on information security awareness matters, please use the following details:

Guideline for Prevention of Spyware and other Potentially Unwanted Software

ViRobot Desktop 5.5. User s Guide

Contents. McAfee Internet Security 3

Host-based Intrusion Prevention System (HIPS)

HoneyBOT User Guide A Windows based honeypot solution

Welcome to Part 2 of the online course, Spyware and Adware What s in Your Computer?

SMALL BUSINESS EDITION. Sophos Control Center startup guide

Lectures 9 Advanced Operating Systems Fundamental Security. Computer Systems Administration TE2003

Desktop Release Notes. Desktop Release Notes 5.2.1

Faronics Anti-Virus User Guide

Release Notes for Websense Security v7.2

F-Secure Internet Security 2012

Online Payments Threats

Spyware. Michael Glenn Technology Management 2004 Qwest Communications International Inc.

Trend Micro OfficeScan Best Practice Guide for Malware

Sophos Anti-Virus standalone startup guide. For Windows and Mac OS X

Basic Administration Guide

These instructions will allow you to configure your computer to install necessary software to access mystanwell.com.

User Guide for PCs. SecureAnywhere AntiVirus SecureAnywhere Internet Security Plus SecureAnywhere Complete Endpoint Protection

Best Practice Configurations for OfficeScan (OSCE) 10.6

Spyware. Summary. Overview of Spyware. Who Is Spying?

PC Security and Maintenance

Installation Guide. NOD32 Typical. Proactive protection against Viruses, Spyware, Worms, Trojans, Rootkits, Adware and Phishing

Ad-Aware Antivirus Overview

What's the difference between spyware and a virus? What is Scareware?

Using Spy Sweeper for Windows Author: Jocelyn Kasamoto

Housekeeping Your PC

How To Understand What A Virus Is And How To Protect Yourself From A Virus

Airtel PC Secure Trouble Shooting Guide

F-Secure and Server Security. Administrator's Guide

Selected Windows XP Troubleshooting Guide

MacScan. MacScan User Guide. Detect, Isolate and Remove Spyware

Quick Start. Installing the software. for Webroot Internet Security Complete, Version 7.0

F-Secure Anti-Virus for Windows Servers. Administrator's Guide

Product Guide. McAfee Endpoint Security 10

Network Security. Demo: Web browser

Sophos for Microsoft SharePoint startup guide

How to Install Windows 7 software

McAfee Avert Labs Finding W32/Conficker.worm

Don t Fall Victim to Cybercrime:

SysPatrol - Server Security Monitor

F-Secure Client Security. Administrator's Guide

McAfee Enterprise Edition v Installation & Configuration For Windows NT, 2000, and XP

ESET Mobile Security Business Edition for Windows Mobile

McAfee VirusScan Enterprise 8.8 software Product Guide

Welcome to Cox Business Security Suite:

Sophos Anti-Virus for Windows, version 7 user manual. For Windows 2000 and later

ABOUT LAVASOFT. Contact. Lavasoft Product Sheet: Ad-Aware Free Antivirus+

Symantec Endpoint Protection Getting Started Guide

McAfee Labs Threat Advisory W32/Autorun.worm.aaeb-h

LSGMI REMOTE DESKTOP SERVICES.

K7 Business Lite User Manual

User Manual. HitmanPro.Kickstart User Manual Page 1

Sophos Computer Security Scan startup guide

When you listen to the news, you hear about many different forms of computer infection(s). The most common are:

User Guide. Essentials Edition. for the. Webroot Software, Inc. 385 Interlocken Crescent Suite 800 Broomfield, CO Version 8.0.

Sophos Enterprise Console Help. Product version: 5.1 Document date: June 2012

Acronis AntiVirus 2010 User's Guide

System Administrator Guide

Symantec AntiVirus Corporate Edition Patch Update

Ten Tips to Avoid Viruses and Spyware

Malware & Botnets. Botnets

Bitdefender Internet Security 2015 User's Guide

Transcription:

McAfee Labs Combating Fake Alert infections - Amith Prakash, Global Threat Response 1

What are FakeAlerts?... 2 Symptoms... 2 Characteristics- CLASSICAL EXAMPLE OF SOCIAL ENGINEERING... 3 Warnings displayed for some typical Fake Alerts... 3 FakeAlert Downloader s... 4 Common locations to find files installed by FakeAlert Trojans... 6 Common FakeAlert Registry changes... 7 Connections to remote URL s... 7 Combating FakeAlert... 8 FakeAlert Variants...Error! Bookmark not defined. What are FakeAlerts? FakeAlert Trojans are rogue security software that are made for monetary gain. It is downloaded in the victims system usually through drive-by downloads or spam. The software displays misleading fake security alerts, misleading spyware scan results and aggressive advertising in order to convince the user into buying the software to get protection. Some of the known FakeAlert variants are listed below: 1. XP antivirus 2009 2. XP antivirus 2008 3. XP Security Centre 4. Malware Protector 2008 5. TotalSecure 2008 6. IE antivirus Symptoms Fake pop-up messages about the system being infected. Unexpected network connections made to some domain(s). (Refer to Connections to remote URL s pg 8) Presence of suspicious process in taskmanager. List of common process related to FakeAlert are given below. XPAntiviru*.exe xpa.exe xpa200*.exe XP antivirus* XPAntivirus* Uninstall XPAntivirus* Uninstall XP Antivirus* Buritos.exe Braviax.exe c00*.dat (Generic Downloader.z) *phc* *lph* *rhc* 2

scui.cpl (Generic PUP.x) VAV.CPL (Generic PUP.x) Beep.sys (existing file that gets overwritten with Generic PWS.o) ctfmona.exe ctfmonb.bmp blackster.scr (Bugs! Shareware Screensaver - clean file) Antvrs.exe Many of these Downloaders install other malware including viruses as well as other Trojans. Additionally many of them are used to remotely install Adware packages onto the affected host machine for the purposes of gaining referral revenue from the Adware software vendor. Please note: If Adware is installed via a Downloader it may install it "cleanly" with the relevant uninstaller included for the user to terminate this Adware, although frequently this is not the case. Characteristics- CLASSICAL EXAMPLE OF SOCIAL ENGINEERING FakeAlert is a rogue Security application. They are usually installed by Drive by Installs or through exploits. They make use of social engineering where in the victim chooses yes to a pop up that say they are infected and need to install the software. This is shown in image below. Warnings displayed for some typical Fake Alerts Some common warnings are given below 3

Windows Security Center reports that 'XP antivirus' is inable. Antivirus software helps to protect your computer against viruses and other security threats. Click Recommendations for the suggested actions. Your system might be at a risk now. Privacy Violation alert! XP antivirus detected Privacy Violation. Some program is secretly sending your private data to untrusted internet host. Click here to block this activity by removing threats (Recommended). System files modification alert! Some critical system files of your computer were modified by malicious program. It may cause system instability and data loss. Click here to block unathorised modification by removing threats (Recommended). Internal conflict alert! XP antivirus detected internal software conflict. Some application tries to get access to system kernel (such behavior is typical to Spyware/Malware). It may cause crash of your computer. Click here to prevent system crash by removing threats (Recommended). Spyware activity alert! Spyware.IEMonster activity detected. It is spyware that attempts to steal passwords from Internet Explorer, Mozilla Firefox, Outlook and other programs, including logins and passwords from online banking sessions, ebay, PayPal. It may also create special tracking files to log your activity and compromise your Internet privacy. It's strongly recommended to remove this threat as soon as possible. Click here to remove Spyware.IEMonster. FakeAlert Downloader s We are seeing more and more hybrid downloader trojans that are installing not only a FakeAlert Trojan but other additional malware also. I recently investigated a machine that had been compromised and had two FakeAlert Trojans installed a password stealer Trojan and an adclicker Trojan. With the latest generation of FakeAlert Trojans we are seeing rootkit technology being used. NTRootKit-H http://us.mcafee.com/virusinfo/default.asp?id=description&virus_k=129931 We are also seeing more PWS components being added to these types of malware packages Generic PWS.o http://vil.nai.com/vil/content/v_132847.htm Some FakeAlerts are known to change the background, install screensavers and/or joke bluescreens to mislead the user to believe the machine has a BSOD. Bluescreen cycles between different Blue Screens and simulated boots every 15 seconds or so. Virtually all the information shown on Bluescreen's BSOD and system start screen is obtained from your system configuration - its accuracy will fool even advanced NT developers. For example, the NT build number, processor revision, loaded drivers and addresses, disk drive characteristics, and memory size are all taken from the system Bluescreen is running on. For further information on joke blue screen visit http://vil.nai.com/vil/content/v_137362.htm FakeAlert programs are known to scan the machines and show misleading scan results. Some of them detect valid files as Malware, while others drop malicious files on to the machine and detect them to gain user acceptance. The rogue security application throws fake or misleading scan results. 4

After convincing users the next step is to get MONEY. It pops up the following registration pane to let users to type in e-mail address for purchase. 5

Common locations to find files installed by FakeAlert Trojans The FakeAlert Trojan commonly installs to various locations on the local computer. They are listed below. TEMP folder: %USER_PROFILE%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk %USER_PROFILE%\Local Settings\Temp\.tt1D.tmp %USER_PROFILE%\Local Settings\Temp\.tt1D.tmp.vbs Start Menu: C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk Program Files directory: C:\Program Files\rhcv8nj0eefc\database.dat C:\Program Files\rhcv8nj0eefc\license.txt C:\Program Files\rhcv8nj0eefc\MFC71.dll C:\Program Files\rhcv8nj0eefc\MFC71ENU.DLL C:\Program Files\rhcv8nj0eefc\msvcp71.dll C:\Program Files\rhcv8nj0eefc\msvcr71.dll C:\Program Files\rhcv8nj0eefc\rhcv8nj0eefc.exe C:\Program Files\rhcv8nj0eefc\rhcv8nj0eefc.exe.local C:\Program Files\rhcv8nj0eefc\Uninstall.exe System Folder (ie. C:\windows\system32\) %WinDir%\system32\Restore\MachineGuid.txt %WinDir%\system32\blphcr8nj0eefc.scr %WinDir%\system32\pphcr8nj0eefc.exe (Where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.) (Where %USER_PROFILE% is the default user profile folder, for example C:\Documents and Settings\Administrator if the current user is Administrator.) 6

Common FakeAlert Registry changes It creates or modifies the following registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\rhcv8nj0eefc: 00 82 AC 48 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\AntivirXP08: "AntivirXP08" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphcr8nj0eefc: "%WinDir%\System32\lphcr8nj0eefc.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SMrhcv8nj0eefc: "C:\Program Files\rhcv8nj0eefc\rhcv8nj0eefc.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcv8nj0eefc\ DisplayName: "AntivirXP08" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcv8nj0eefc\ UninstallString: ""C:\Program Files\rhcv8nj0eefc\uninstall.exe"" HKEY_LOCAL_MACHINE\SOFTWARE\rhcv8nj0eefc\domain: "5B13A361646217A08DAF45C0FAB6AA64BF0E" HKEY_LOCAL_MACHINE\SOFTWARE\rhcv8nj0eefc\ADVid: "687a874463df9e3b7abb1f2150607f7a" HKEY_LOCAL_MACHINE\SOFTWARE\rhcv8nj0eefc\: "C:\Program Files\rhcv8nj0eefc" HKEY_LOCAL_MACHINE\SOFTWARE\rhcv8nj0eefc\InstallDir: "C:\Program Files\rhcv8nj0eefc" HKEY_LOCAL_MACHINE\SOFTWARE\rhcv8nj0eefc\SoftID: "AntivirXP08" HKEY_LOCAL_MACHINE\SOFTWARE\rhcv8nj0eefc\DatabaseVersion: "2.1" HKEY_LOCAL_MACHINE\SOFTWARE\rhcv8nj0eefc\ProgramVersion: "2.1" HKEY_LOCAL_MACHINE\SOFTWARE\rhcv8nj0eefc\EngineVersion: "2.1" HKEY_LOCAL_MACHINE\SOFTWARE\rhcv8nj0eefc\GuiVersion: "2.1" HKEY_LOCAL_MACHINE\SOFTWARE\rhcv8nj0eefc\ProxyName: "" HKEY_LOCAL_MACHINE\SOFTWARE\rhcv8nj0eefc\ProxyPort: 0x00000000 HKEY_LOCAL_MACHINE\SOFTWARE\rhcv8nj0eefc\ScanPriority: 0x00000001 HKEY_LOCAL_MACHINE\SOFTWARE\rhcv8nj0eefc\DaysInterval: 0x00000007 HKEY_LOCAL_MACHINE\SOFTWARE\rhcv8nj0eefc\ScanDepth: 0x00000002 HKEY_LOCAL_MACHINE\SOFTWARE\rhcv8nj0eefc\ScanSystemOnStartup: 0x00000001 HKEY_LOCAL_MACHINE\SOFTWARE\rhcv8nj0eefc\AutomaticallyUpdates: 0x00000001 HKEY_LOCAL_MACHINE\SOFTWARE\rhcv8nj0eefc\MinimizeOnStart: 0x00000000 HKEY_LOCAL_MACHINE\SOFTWARE\rhcv8nj0eefc\BackgroundScan: 0x00000001 HKEY_LOCAL_MACHINE\SOFTWARE\rhcv8nj0eefc\BackgroundScanTimeout: 0x00000001 HKEY_LOCAL_MACHINE\SOFTWARE\rhcv8nj0eefc\LastTimeStamp: 0x00000104 HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundP age: 0x00000001 HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage: 0x00000001 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\DisableSR: 0x00000000 HKEY_USERS\Control Panel\Colors\Background: "0 0 255" HKEY_USERS\Control Panel\Desktop\SCRNSAVE.EXE: "C:\WINDOWS\System32\blphcr8nj0eefc.scr" HKEY_USERS\Control Panel\Desktop\Wallpaper: "%WinDir%\System32\phcr8nj0eefc.bmp" HKEY_USERS\Control Panel\Desktop\WallpaperStyle: "0" HKEY_USERS\Control Panel\Desktop\OriginalWallpaper: "%WinDir%\System32\phcr8nj0eefc.bmp" Connections to remote URL s 7

FakeAlert Trojans connect to various URL s to download more Malware. Please find below a list of common URL s accessed by FakeAlert Accessed Domains tibsystems.com statsbank.com boards.cexx.org adultwebmasterinfo.com dialerschutz.de webmasterworld.com gofuckyourself.com 56.com adultfriendfinder.com Note: please visit the FakeAlert VIL description (http://vil.nai.com) to get the latest information on FakeAlert related domains as they are quite dynamic There are also install domains which is accessed to download FakeAlert trojans. Install Domains antivirus2008x.com antivirus2008.com 72-9-10 8-82.reverse.ezz i.net. antivirusxp2008.com winfixer.com advancedxpdefender.com liveresponsesite.com xpsecuritycenter.com malwareprotector2008.com antivirusxp-08.net antivirus2008x.com antivirus2008.com 72-9-10 8-82.reverse.ezz i.net. antivirusxp2008.com winfixer.com advancedxpdefender.com liveresponsesite.com Combating FakeAlert Block the Install domains Block the accessed domains. Create Access Protection Rules 8

. Block the Install Domains. Please block the install domains mentioned above. Block the Accessed Domains. Please block the accessed domains mentioned above Access Protection Rules You can use Access protection rules present in McAfee Virusscan 8.7 to prevent creation of files and folders related to FakeAlert. As mentioned before FakeAlert tries to create folders/files in some common locations like program files, start menu etc. Folder names are usually the name of the Malware like XPAntivirus etc. Create Access protection rules to prevent creation of such folders in known locations. C:\Program Files\XPAntivirus\ C:\Program Files\XP Antivirus\ Screen shot of a typical user defined access protection rule is given below 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information