ESET Threat Blog

We told you to watch out, didn't we? (see Randy's blog at http://www.eset.com/threat-center/blog/2009/10/23/this-is-the-funniest-video-ever). But it's not just Michael Myers, zombies and vampires you need to watch out for. It's also Funny Halloween Costumes, Harvey Milk, Pumpkin Carving Stencils, candy, Pokemon, and McDonalds Monopoly online.

Yes, the fake/rogue AV gang have started on their Halloween special, and this time it's… well, it's the same old SEO (Search Engine Optimization) poisoning ploy. Right now, after a very interesting conversation with Juraj Malcho, head of our lab in Slovakia, I'm looking through a list of keywords currently being used by a particularly prolific Black Hat SEO campaign which has been updated to reflect the sort of stuff that people – and certainly American people - are likely to be searching for at this time of year.

I'm looking through a list of thousands of words and phrases, so I'm not going to list them all here: I don't suppose you'd read it from top to bottom if I did. However, if you use common search engines like Google to look for terms like those above and a great many others, you're likely to find a lot of links at the top of the results lists that lead you to fake security software.  This claims to find imaginary malware on your system, with the ultimate intention of defrauding you of money and possibly of harvesting your credit card details, for example.

Many of the search terms I'm looking at here relate to fairly specific stuff like halloween costumes; lots are fairly generic but have the word Halloween added (often at the start of the term, but not invariably); some don't relate to Halloween at all, as far as I can see; and some are just bizarre. ("Halloween originated in mt kilamanjaro (sic)")

So much for the social engineering aspect: what about the malware? Juraj has been checking samples, and most of is already covered by our generic detections. There'll be more specific naming in our next update. Of course, we'd expect the bad guys to do some tweaking as their campaign develops, to try to regain the advantage, so you can't assume that anti-virus products, even those with good proactive detection (like ours!) will catch everything.

Anti-virus is a useful layer of protection against threats like this, but we can't always save you from your own lack of caution. If you're looking for Halloween-related material, you might want to check out my previous blog at http://www.eset.com/threat-center/blog/2009/10/24/fake-anti-malware-blurring-the-boundaries for other resources that will tell you more about fake security programs.

 [Particular thanks to Sean-Paul Correll and Patrick Mullen for spreading the word on this.]

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

"Now may I suggest some of the things we must do if we are to make the American dream a reality. First, I think all of us must develop a world perspective if we are to survive. The American dream will not become a reality devoid of the larger dream of brotherhood and peace and goodwill. The world in which we live is a world of geographical oneness…" - Dr. Martin Luther King, from a speech delivered at Lincoln University, Pennsylvania, June 6, 1961

If Dr. King had still been alive today to see the wonders of the global connectivity of the Internet, he would probably consider the quoted portion of his speech as a "statement before its time."

Today the current global Internet penetration rate stands at approximately 24%. With a global population of 6.7 billion, that equates to roughly 1.6 billion users on the Internet across the globe. At the current penetration rate, cybercrime has become pervasive, pandemic and increasingly connected with other parts of the criminal ecosystem. It ranges from the theft of an individual’s identity to the complete disruption of a country’s Internet connectivity due to a massive distributed attack against its networking and computing resources.

With the remaining 5 billion users to connect to the Internet, there are significant challenges – one of which is cybercrime (via its many methods). There are technological preventative measures that help mitigate cybercrime attacks, but technology alone is not the answer.

The next one billion users on the Internet will not come from developed countries, but rather mostly from developing countries. Awareness, even simple levels of awareness, of various types of risks and cybercrime attacks can yield positive results. This is primarily due to the fact that the weakest link in the “security chain” is, correctly, always quoted as being the end user. The additional one billion users on the Internet will be considered “fresh targets” by the cybercriminals.

The target of cybercrime centers on information – the data that is electronically stored for retrieval and subsequent use. For instance, even with varying levels of per-capita income, the amount of money that stands to be lost to a cybercrime called “phishing” (one of the most common online attacks where a person is socially engineered to provide personally identifiable information by someone posing to be a trusted source) has the potential to be quite significant due to the sheer number of users at risk (unaware).

A real-world example of the scope of the threat: cybercrimes, like phishing and data breaches, are a scalable threat to the United States. These threats are so severe they are detailed as national security threats in the 2009 Annual Threat Assessment Intelligence Briefing to the Senate Intelligence Committee. This representes the scope of one cybercrime problem in a single country, whose users have had several years of exposure to the Internet. New Internet users will face the same difficulties – but from cybercriminals that have had also years of experience and that have optimized their attack and evasion techniques. 

Infrastructure build-out, deployment and subsequent end-user connectivity should be coupled with effective cybersecurity awareness training – in addition to application usage training. It is the ignorance of on-line risks that poses the greatest threat to the new generation of global Internet citizens. Coordinated global efforts in effective awareness training will transform these new Internet citizens from potential victims to increasingly aware, and less vulnerable, people as a whole.

Jeff Debrosse
Senior Research Director

Securing Our eCity community initiative: http://www.securingourecity.org/

Here in the UK we’ve seen quite a lot of media attention (TV movies and documentaries and so on) relating to the 9/11 attacks, so I’m sure there’s a lot more happening in the US, today of all days.

Sky News (http://news.sky.com/skynews/Home/World-News/September-11-Terror-Attacks-New-Video-Of-Plane-Crashing-Into-South-Tower-9-11-Memorial-And-Museum/Article/200909215379149) has published an article that includes a link to a video clip of the second plane hitting the World Trade Center, if you can bear to watch it again, but also includes some information and a link to the National September 11 Memorial & Museum  (http://www.national911memorial.org/site/PageServer?pagename=New_Home), which contains many examples of "citizen journalism" relating to the tragedy.

You may think this has more to do with national security than the sort of issue we deal with here, though the borders do get pretty fuzzy sometimes. However, it seems that, predictably enough, the fake AV crew have been doing some more index hijacking (http://www.eset.com/threat-center/blog/2009/08/26/web-searches-and-dangerous-ladies; http://www.eset.com/threat-center/blog/2009/09/06/fake-antimalware-old-dogs-new-tricks). Using Google and other search engines for information and reports about 9/11 is likely to generate results with a load of links leading to rogue antivirus-related sites.

Clearly, no topical report, however tragic  is exempt from the attentions of the criminal mind.

Thanks to Graham Cluley of Sophos and to Donna Buenaventura of Trend  for drawing my attention to this new malware attack.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

(1)

Websense, our neighbour in San Diego, has reported a fake anti-malware scam centred on Labor Day social engineering. The scam uses malicious SEO (Search Engine Optimization) techniques, sometimes referred to as index hijacking or SEO poisoning, to misdirect potential victims. When the victim uses Google to search for Labor Day sales (apparently these are very popular in the US), the bad guys use SEO poisoning to ensure that some of the highest ranking hits are actually malicious URLs that redirect the victim to a site "warning" him that his machine is infected, and offers "free but fake" anti-virus software. According to Websense, AOL and ASK.com have been affected by similar SEO poisoning.

(We have a paper on our white papers page on the topic  of fake anti-malware,written by Cristian Borghello, one of my colleagues in ESET Latin America. This describes how "free" anti-malware can turn out to be pretty expensive.)

There’s nothing particularly new about SEO poisoning, of course: my colleague on the AMTSO Board of Directors, Igor Muttik, wrote a comprehensive chapter for the AVIEN Malware Defense Guide* on web attacks that includes a section on index hijacking. Similarly, malware frequently uses social engineering based on public holidays to lure its victims – remember the Waledac 4th of July spam, which we and Websense, among others, also flagged? - as well as other attention-grabbing topics such as theAthens fires. Nevertheless, it’s well worth reiterating that this kind of social engineering isn’t restricted to spamming out malicious attachments or links. You may trust Google’s good intentions, but that doesn’t mean that every link that turns up in a Google search is going to be trustworthy.

Like legitimate concerns who make money out of their web presence, the bad guys also like to take steps to ensure that their "business" is top of the heap in web searches.

(2)

Sophos have also brought our attention to a slightly novel wrinkle currently employed by fake AV distributors. In this case, it’s a fake AV product which doesn’t just tell you that you’re infected by imaginary malware, but tells you which files are "spyware". We have seen instances where a system is deliberately attacked in order to sell the "solution": for instance, part of the pitch for one type of fake file recovery software was to encrypt some of the victim’s files and flag them as "corrupted", so that the fake software can "repair" them. Fortunately, this isn’t quite the same: the Trojan isn’t actually creating malware on the victim’s machine: it’s simply creating garbage files and flagging them as malicious. However, they can’t execute and are easily removed (you certainly don’t need to buy the fake AV to remove them.

You may wonder what’s to stop these guys generating real malware. Well, not much: there’s nothing to stop one malicious program generating another, which a third (the fake security software) claims to detect and remove. The reason that we don’t see this more often may simply be that the authors of fake AV are constantly trying to blur the distinction between fake security software and the real thing. This has at least two advantages for them:

• It makes it more difficult (obviously) for a potential victim to spot a rogue product
• By trying to make real security products look bad, they increase the take-up of their own badware.

So they may be holding back from generating real malware in contexts where it will make it harder for them to claim in court, for example, that the fake scanner is legitimate security software.

However, that doesn’t mean  that some criminal genius won’t decide that it makes sense to write the malware and the "anti-malware" at the same time. In fact, there are precedents for this that go back to the 1990s: indeed, I once declined to participate in a book project that was intended to teach the art of antivirus development by describing how to write specific viruses, and then describing how to write detection routines.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

 *Dr. Igor G. Muttik, A Tangled Web, in "The AVIEN Malware Defense Guide for the Enterprise", ed. Harley, Syngress 2007.

Cristian Borghello, Technical and Education Manager at ESET Latin America, tells us that they’ve noted quite a few sites that pretend to provide information on the fire crisis in Athens, Greece, but actually download malware onto the user’s PC. (Mistakes in translation are down to DH!)

The criminals are using Black Hat SEO (Search Engine Optimization) techniques such as keyword stuffing and hidden text so that search engines will present their sites at or close to the top of the listings in response to keyword searches relating to the fires.

If the user enters one of these sites, he will be redirected through several domains and, in the last of them (http://removeallthreat [ELIMINATED] .com) he will  end up downloading malware of the rogue antimalware type that ESET products detect as Win32/Adware.Antivirus2009. 

As can be seen in a screen dump shown in the ESET Latin America blog page at http://blogs.eset-la.com/laboratorio/2009/08/23/fuego-atenas-pretexto-para-infectar-usuarios/, several intermediate sites exist that are only used to trick the search-engine and the user into accessing the final page, which always contains malware. 

The bad guys make very frequent use of these techniques, using topical events that attract the attention of the media and people in general as social engineering bait to reel in their victims.

Overnight, ESET Latin America have found other domains that use the same techniques and download similar malware: 

• removeallthreat [ELIMINATED] .com
• removepc [ELIMINATED] .com
• scan-my-PC [ELIMINATED] .com
• remove-PC [ELIMINATED] .com
• homevirus [ELIMINATED] .com
• scan-your-PC [ELIMINATED] .com

ESET Latin America advise caution in accessing sites purporting to offer topical information and look out for these particular domains: if possible, block traffic from these sites using firewalls and proxies.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Update. August 5th 1:30 PM PDT.  I received an email from Mr. Carl Haugen, the president of BluePenguin Software who develop SPYzooka. According to Mr. Haugen the offending post was made by a former employee and has now been removed. I have verified that the post was removed. This is an encouraging sign. I will also note that BluePenguin is an accreditted member of the Better Business Bureau and has a good track record of resolving customer complaints.

A friend of mine from the respected Indian antivirus company Quick Heal Technologies recently brought two posts on the web to my attention.

http://www.articlesbase.com/security-articles/do-not-trust-quick-heal-antivirus-plus-2009-987981.html is an article written by someone who does not wish to disclose who they are. The article is pure fiction. Remember, articlebase.com does not validate content so I would assume everything there is wrong unless I independently verified the facts elsewhere.

The second link, and in my opinion the likely source of the fictitious article is http://bluepenguinsoftware.com/spyzooka/blog/removal-instructions-for-quickhealantivirusplus2009/

The author of the “blog”, Carl Haugen, claims:

“Like other rogues, it claims to be beneficial but in actuality it is malevolent. Instead of helping remove threats, it will download spyware, Trojan horse apps, adware, and other malware.”

I’m not a lawyer, but I have advised my friend that if Quick Heal chooses to sue BluePenguin Software for libel, I would be happy to testify on behalf of Quick Heal. It sure looks like a slam-dunk libel case to me.

It is possible that the folks at BluePenguin downloaded a pirated, cracked version of the program, but if they had downloaded the program from the developer’s web site they would have a legitimate antivirus product.

If you do your research on Quick Heal, you will find that they are tested by Virus Bulletin, have 27 VB 100 awards, 10 failures, and 28 no entries. Spyzooka does not participate in VB testing.

Quick Heal is certified by Westcoast labs Checkmark certification for both antivirus and spyware. Spyzooka is not certified.

Quick Heal is a corporate member of AVAR, the Association of Asia Antivirus Researchers, where I sit on the board of directors with my friend Sanjay Katkar of Quick Heal.

I don’t see any industry related, professional organizations that BluePenguin participates in. They aren’t even members of the Anti-Spyware Coalition (ASC), which you would expect from a legitimate anti-spyware focused company. Currently Quick Heal is not a member of the ASC either, but I have recommended they join.

I won’t comment on the quality of Spyzooka, as I have not tested it or seen any legitimate tests of it, but the blatant dishonesty of their President would not lead me to consider the product.

Yeah, Quick Heal is a competitor of ESET’s, but that is no reason to let a wrong stand un-righted. We’ll go toe to toe with Quick Heal based upon the merits of our product, but we wouldn’t stoop so low as to call a legitimate antivirus product a rogue.

Randy Abrams
Director of Technical Education

Over the weekend our colleagues at ESET Latin America found that Slideshare was being used to spread malware. As they haven’t found much information on the web about this, Sebastián Bortnik blogged today about what they found. (Errors in translation and interpretation should be attributed to David Harley!) I’ve added some thoughts and some content based on discussions I’ve had subsequently with Pierre-Marc.

When monitoring known sources of rogue antimalware, it’s common to find sites used for the active spread of malware. ESET Latin America have already reported in their blog a number of highly effective attacks, directed at the many users looking for free security products.

This weekend, they found a new platform used to spread malware: Slideshare.net. This website is very widely used for sharing presentations, but now it is being exploited by attackers, creating fake slide decks and using social engineering techniques to pass them off as having themes that will appeal to potential victims.

A case in point is a file they found to be passed off as a cracked download of ESET’s NOD32 scanner. The presentation includes a slide that has a single link, and adds in the SourceForge.Net logo  to give more credibility to the download. (Though you may wonder, as I did, since when has SourceForge been distributing cracked commercial software?!?)

If the user clicks on the link, he or she will be directed to a website that looks like SourceForge.Net, but is actually a spoofed site set up for malicious purposes. Subsequently, the window opens a file for download which has an .EXE extension.

In the case investigated by ESET Latin America, if the user downloads the file, it does not, of course, install any antivirus software. On the contrary, his system gets infected with a malware variant detected proactively by ESET NOD32 heuristics as Win32/Kryptik.YT. However, Pierre-Marc tells me that he’s subsequently been seeing files with a different filename downloaded from a URL suggesting a Chinese origin. This file is detected as Win32/TrojanDownloader.FakeAlert.ADB, which is used to download fake anti-virus software, and a sample submitted to VirusTotal indicated good antivirus detection (31/41). The problem, however, is that these attacks are not aimed at people who already have competent anti-malware, but at people who are looking for a (preferably free) solution, even if it’s pirated.

More than ever, you need to be careful in carrying out downloads from the Internet, as any platform may suddenly be found to be used or misused to propagate malicious code. Particularly in a case like this: it only makes sense to download security applications from their official websites: after all, if a site is prepared to offer pirated software, why would you assume that it has honest and benevolent intentions towards people who take up that offer? In fact, attackers are constantly seeking new platforms by which to propagate their threats, and they are not slow to seize the opportunity to misuse any new means of propagating malware. In fact, malware that passes itself off as antivirus is almost as old as antivirus.

The situation may be exacerbated by the fact that Powerpoint is generally regarded as a "safe" format, even though it can be misused in a number of ways to carry malicious code (macros, embedded files and so on). In this case, however, it’s not just  a question of whether the file is innocent: it’s also a matter of realizing that an uninfected document may carry a link to a dangerous site.

Sebastián Bortnik, Pierre-Marc Bureau, David Harley

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

There are quite a few reports currently about particularly ugly development son the fake AV front. The Register’s John Leyden has referred to a "double dipping" attack, in which the notorious Antivirus 2009 is implicated in an attack that goes beyond offering useless rogue anti-malware to inflicting actual damage on user data files, in order to force the victim to pay for another "utility" in order to recover them. FireEye implicates Vundo (Virtumonde), the equally notorious adware Trojan, which is often used to push fake security software. The attacks ESET is seeing involve the dropping of a malicious executable called fpfstb.dll – which we, among others, detect as Xrupter- into the system directory (%sysdir%), and creating or changing a number of registry keys. This one ensures that the program is run at every startup.

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Windows \ "AppInit_DLLs" = "% Sysdir% \ fpfstb.dll"

Xruptr is a Trojan application that looks for data files in the "My Documents" folder and encrypts them. As you can see from the list of file types below* this attacks types of file that may be critically important for personal or business reasons to the victim.

 The victim then sees messages like these in the system tray:

"Windows File Protection

Windows has detected that the following files seems to be corrupted. To prevent future data corruption, click Repair button below. "

"FileFix Professional 2009

Please, register your copy of FileFix Professional 2009 to repair all corrupted files. Click here to open Buy now page. "

FileFix does decrypt the affected files so that they’re accessible again, but only at a price (and it only decrypts the files that Xrupter has weakly encrypted: it’s useless as a general decryption utility and may well be used for other malicious purposes in the future). Furthermore, its home web site is currently offline, so if you fall victim to this scam, you may not be able to access it anyway. 

Fortunately, a number of sources have made alternative (and free!) decryption utilities available. Symantec’s is here, and FireEye’s is here,

There’s nothing new about ransomware of course: in fact, it was Dr. Popp’s AIDS Trojan, which encrypted the victim’s hard disk and then demanded money to get it fixed, which was my introduction to anti-malware research in 1989.

And fake anti-malware is almost as old – one of the Black Baron’s malicious packages was made available as "antivirus" in the 1990s.

However, the combination of fake security software and data-diddling as a means of extortion as two prongs of the same attack seems, somehow, particularly unpleasant. Nonetheless, I’m sure we’ll see more of such attacks.

* The Trojan looks for files with the following filetypes (filename suffixes – that is, the part of the filename that follows the last period character, for example mynewnovel.doc):

doc
docm
docx
dotm
dotx
jpeg
jpg
mdb
mp3
pdf
png
potm
potx
ppam
ppsm
ppsx
ppt
pptm
pptx
pst
wma
xlam
xls
xlsb
xlsm
XLSX
xltm
xltx

 (Thanks to Paolo Monti, my colleague at Future Time/ESET.it, Hon Lau of Symantec, and Alex Lanstein of FireEye for some of the information on Xrupter used here.)

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

As we’ve mentioned here before, fake antimalware problems are a serious problem, both to the real security industry and to our customers. So it’s good to hear of action being taken against some of miscreants involved: more specifically, the takedown of the resurrected Traffic Converter site, a major player in the distribution of this particular form of malware.

This is directly linked to an excellent Security Fix artlcle by the estimable Brian Krebs which paid particular attention to Traffic Converter and Baka and their affiliates. Nice one, Brian!

An excellent example of how a journalist can make a real difference without breaking the law. BBC take note!

Brian’s article is a recommended read for anyone wanting to understand this phenomenon. For a lighter overview, a paper by ESET’s Cristian Borghello might be of interest (it’s a translation of his own earlier paper in Spanish).

A couple of other links that might be useful: Randy’s recent article here; our 2008 Global Threat Report here.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

[Updated after further investigation.]

For the past few days, I’ve been seeing spam to one of my accounts offering me various bits of software. Nothing unusual about that, of course, but this one was better constructed than usual, and consistent, and I made a mental note to look more closely when I’m a little less busy. Over Easter, perhaps. :-/

Today’s really caught my eye, though: it was linking to a product called  Antivirus 2009. Now there’s a familiar name… Sure enough, the link redirects to what looks like a classic fake anti-malware site. Quite carefully done, too.

There’s a page that explains why the product is better than AVG. (Sorry, Larry B., it’s their claim, not mine!) If you try to download it, it asks you to fill in a form with your name and email address. Then it asks you for credit card details, and as my alter ego on this occasion doesn’t have a credit card, I didn’t go any further. That’s a monthly bill I don’t want to explain to Accounting.

There are a couple of interesting features to this though.

1. When I went back to those other mails, one was apparently for a PDF manager, and the other for Open Office, the open source office software. The PDF manager is hosted on the same site as the "antivirus" package, but the Open Office site has a name similar to the real site, but one suggesting that it’s hosted in the now-defunct Soviet Union (.su domain). The procedure for downloading is the same, so I haven’t seen the binaries.
2. The email is not fancy, but it’s consistent. The sender address is gmail, and while the real address doesn’t change, the identifier does, according to the type of product being pushed. Something like this: PDF sales [badman@badsite.org];  AV sales [badman@badsite.org]. And there’s an unsubscribe link, which I haven’t tried. The English doesn’t have any glaring spelling or grammatical errors, unlike much spam. Of course, since I’ve just made this public, the format and content may change dramatically and suddenly. Not all our readers are good guys…
3. The use of the credit card form so early in the proceedings makes it a little more difficult to follow up on stuff like this.

As I mentioned earlier, I turned this over to people better-resourced for investigations like this. No, I don’t mean the BBC…

The responses I’ve had back and some further probing on my ownsuggest a group simply trying to make money by selling free software, or access to software that may or not be free. In other words, the scam is the credit card form, rather than an organized attempt to seed malware. Further investigation has turned up links to pages that spoof real antispyware vendors. I guess if you’re happy to make money by pretending to provide software, including security software, you’re not going to be concerned about whether it’s real or fake software you’re spoofing. 

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence