ESET Threat Blog

[Update: There's been quite a lot of discussion and extra information coming in on this. It seems to me that there is at least one unnamed app around as well as the Boxes issue, and while I've no reason to assume that it's malicious, I'd hardly advise that you rush into installing an application when the developer hasn't got around to giving it a name yet. The really important issue here, though, is that Googling for Unnamed App undoubtedly will turn up some malicious sites pushing fake security software!]

We hear that a hoax is circulating on Facebook, warning about a virus that is supposed to add an “Unnamed App" to the FB tabs.

As a result people are Googling for further information with a search string like “Unnamed App”. Doing this quickly reveals a SEO (Search Engine Optimization) campaign pushing fake security software (rogue AV). The alert I received mentions a malicious file detected by ESET products as "a variant of Win32/Kryptik.BXJ."

As you may have noticed, I'm very much against the misuse of Virustotal as an indicator of scanner effectiveness: the fact that a scanner isn't recorded as identifying a threat on a VT report doesn't necessarily mean that it won't detect that threat when it tries to execute on a victim's PC. However, a VT report from 22:04:51 (UTC) yesterday (26th January 2001) suggests that at that point, only 12 out of 40 products detected it, so you probably shouldn't assume that other scanners will detect it at the moment.

A current thread at Yahoo Answers suggests that "Unnamed App" is likely to refer to the "Boxes" tab which can be found on some Facebook profile pages, though the Facebook developers page at http://wiki.developers.facebook.com/index.php/Tabbed_Profile states that "Facebook is deprecating the profile boxes and the Boxes tab in late 2009/early 2010, as per our announcement." (The announcement is at http://developers.facebook.com/news.php?blog=1&story=326.)

Tip of the hat to Peter Kruse for flagging this issue.

That VT report by the way is:

http://www.virustotal.com/analisis/a2554d34db4ab9b672f20e0609cad88a27b27b12e94dfac413e43f50afeba769-1264543491

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch (or @ESETblog)
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Also blogging at:
http://smallbluegreenblog.wordpress.com/
http://avien.net/blog
http://blogs.securiteam.com
http://blog.isc2.org/
http://macviruscom.wordpress.com/
 

It won’t come as a surprise to regular readers of this blog that there’s a lot of fake/rogue anti-malware about. (see http://www.eset.com/threat-center/blog/category/fake-anti-malware-fake-software). However, a report released at RSA Europe goes some way towards quantifying that threat, and has created something of a stir in the media.

That’s to be expected: journalists tend to love facts and figures. Anti-malware researchers (well, this anti-malware researcher) have/has a tendency to be more cautious, and while the statistics in the report from Symantec certainly give a flavour of the sheer scale of the problem, they’re a snapshot taken from a particular viewpoint, not the whole panorama. (That said, a lot of resources seem to have been expended on this report: it’s probably not a million miles out.) 

Unfortunately, some journalists have simply gone to the highlights page in the executive summary and recycled the figures (one newscast infuriated me by advising "don’t allow pop-ups" as if that was all there is to fixing the problem), whereas the really interesting and useful content is in the descriptions of the mechanisms behind these scams. We have an overview paper on the topic at http://www.eset.com/download/whitepapers/Free_but_Fake.pdf by ESET Latin-America’s Cristian Borghello, but for a more detailed approach, the much longer paper based on a longitudinal study is well worth looking at.

However, Rob Rosenberger’s reaction is also interesting: he took the opportunity to tweet a reminder of an article he wrote back in March about fake AV and virus hysteria. Somewhat predictably, he regards the anti-malware industry as a major contributor to the fake (or rogure) anti-malware problem. An interesting idea, coloured by his preoccupation with the idea that "virus hysteria" – an unpleasant phenomenon that I too have seen much too much of in the past 20 years – is partly the creation of the anti-malware industry. Well, I’m not going to tell you that the entire anti-malware industry is (and always has been) whiter than white. Still, I don’t think that a similarity in pricing and addiction to signature updates really accounts all by itself for the success of fake AV syndrome.

At this year’s Virus Bulletin conference, there was an interesting and amusing panel session that addressed both free anti-virus and fake AV, and I think there’s a clue there. Many people mistrust anti-malware products, and quite a few think they should be free. (No, that wouldn’t work for me: I have this addiction to food, which requires me to earn a living.)

Fake AV often exploits this desire for something for nothing, by offering a free product that turns out to be far from free. It does, to some extent, mimic a legitimate model of "This product has detected such and such malware on your system, but you’ll have to pay us to remove it", but that model hasn’t been particularly associated with mainstream AV. (A number of shareware products have used a similar model, though.) And I certainly can’t think of a legitimate product that forces itself onto your PC as a pop-up and scans it without asking permission before asking for payment before removing the malware it finds, real or not.

Where there is confusion, though, it derives from the ways that fake AV products try to blur the boundaries between fake and real, using spoofed web sites, forged certifications, advertising collateral and other information stolen from real products, and so on.

Another approach we’ve seen much more of in recent years is the use of legal action to try to restrict the ability of real security vendors to detect not only fake AV, but nuisances such as certain kinds of adware that may not be considered to be malware in the strictest sense of the word. Juraj Malcho, head of ESET’s lab in Bratislava, presented a fascinating paper on the topic "Is there a lawyer in the lab?" at Virus Bulletin 2009, as I mentioned in a previous blog. We can’t put up the paper itself until the end of the year because of the terms of the agreement made with Virus Bulletin when a conference paper is accepted, but a PDF version of the presentation is available here and here.

Other links:
http://tech.yahoo.com/news/nm/us_cybersecurity_symantec
http://news.bbc.co.uk/1/hi/technology/8313678.stm 
http://www.theregister.co.uk/2009/10/20/scareware_psychology/ 
http://www4.symantec.com/Vrt/wl?tu_id=TeCm125590003756772344

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

"Now may I suggest some of the things we must do if we are to make the American dream a reality. First, I think all of us must develop a world perspective if we are to survive. The American dream will not become a reality devoid of the larger dream of brotherhood and peace and goodwill. The world in which we live is a world of geographical oneness…" - Dr. Martin Luther King, from a speech delivered at Lincoln University, Pennsylvania, June 6, 1961

If Dr. King had still been alive today to see the wonders of the global connectivity of the Internet, he would probably consider the quoted portion of his speech as a "statement before its time."

Today the current global Internet penetration rate stands at approximately 24%. With a global population of 6.7 billion, that equates to roughly 1.6 billion users on the Internet across the globe. At the current penetration rate, cybercrime has become pervasive, pandemic and increasingly connected with other parts of the criminal ecosystem. It ranges from the theft of an individual’s identity to the complete disruption of a country’s Internet connectivity due to a massive distributed attack against its networking and computing resources.

With the remaining 5 billion users to connect to the Internet, there are significant challenges – one of which is cybercrime (via its many methods). There are technological preventative measures that help mitigate cybercrime attacks, but technology alone is not the answer.

The next one billion users on the Internet will not come from developed countries, but rather mostly from developing countries. Awareness, even simple levels of awareness, of various types of risks and cybercrime attacks can yield positive results. This is primarily due to the fact that the weakest link in the “security chain” is, correctly, always quoted as being the end user. The additional one billion users on the Internet will be considered “fresh targets” by the cybercriminals.

The target of cybercrime centers on information – the data that is electronically stored for retrieval and subsequent use. For instance, even with varying levels of per-capita income, the amount of money that stands to be lost to a cybercrime called “phishing” (one of the most common online attacks where a person is socially engineered to provide personally identifiable information by someone posing to be a trusted source) has the potential to be quite significant due to the sheer number of users at risk (unaware).

A real-world example of the scope of the threat: cybercrimes, like phishing and data breaches, are a scalable threat to the United States. These threats are so severe they are detailed as national security threats in the 2009 Annual Threat Assessment Intelligence Briefing to the Senate Intelligence Committee. This representes the scope of one cybercrime problem in a single country, whose users have had several years of exposure to the Internet. New Internet users will face the same difficulties – but from cybercriminals that have had also years of experience and that have optimized their attack and evasion techniques. 

Infrastructure build-out, deployment and subsequent end-user connectivity should be coupled with effective cybersecurity awareness training – in addition to application usage training. It is the ignorance of on-line risks that poses the greatest threat to the new generation of global Internet citizens. Coordinated global efforts in effective awareness training will transform these new Internet citizens from potential victims to increasingly aware, and less vulnerable, people as a whole.

Jeff Debrosse
Senior Research Director

Securing Our eCity community initiative: http://www.securingourecity.org/

Cristian Borghello, Technical and Education Manager at ESET Latin America, tells us that they’ve noted quite a few sites that pretend to provide information on the fire crisis in Athens, Greece, but actually download malware onto the user’s PC. (Mistakes in translation are down to DH!)

The criminals are using Black Hat SEO (Search Engine Optimization) techniques such as keyword stuffing and hidden text so that search engines will present their sites at or close to the top of the listings in response to keyword searches relating to the fires.

If the user enters one of these sites, he will be redirected through several domains and, in the last of them (http://removeallthreat [ELIMINATED] .com) he will  end up downloading malware of the rogue antimalware type that ESET products detect as Win32/Adware.Antivirus2009. 

As can be seen in a screen dump shown in the ESET Latin America blog page at http://blogs.eset-la.com/laboratorio/2009/08/23/fuego-atenas-pretexto-para-infectar-usuarios/, several intermediate sites exist that are only used to trick the search-engine and the user into accessing the final page, which always contains malware. 

The bad guys make very frequent use of these techniques, using topical events that attract the attention of the media and people in general as social engineering bait to reel in their victims.

Overnight, ESET Latin America have found other domains that use the same techniques and download similar malware: 

• removeallthreat [ELIMINATED] .com
• removepc [ELIMINATED] .com
• scan-my-PC [ELIMINATED] .com
• remove-PC [ELIMINATED] .com
• homevirus [ELIMINATED] .com
• scan-your-PC [ELIMINATED] .com

ESET Latin America advise caution in accessing sites purporting to offer topical information and look out for these particular domains: if possible, block traffic from these sites using firewalls and proxies.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/