1. /
  2. Security Response/
  3. Trojan.FakeAV

Trojan.FakeAV

Risk Level 1: Very Low

Discovered:
October 10, 2007
Updated:
July 10, 2014 8:33:56 AM
Type:
Trojan
Infection Length:
7,680 bytes
Systems Affected:
Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
1. Prevention and avoidance
1.1 User behavior and precautions
1.2 Patch operating system and software

2. Infection method
2.1 Spam email
2.2 Social networking
2.3 Search engine poisoning
3. Functionality
3.1 Pop-up messages
3.2 Fake antivirus scans
3.3 Clones
4. Additional functionality
4.1 Fake loss of desktop
4.2 Fake restarts
4.3 Fake system errors
4.4 Blocking execution of programs
4.5 Mimicking well-known antivirus brands
4.6 Bogus reviews and awards
4.7 Professional looking product pages
4.8 Multiple language user interface
4.9 Live online support
5. Additional information
5.1 Affiliates
5.2 Resources


1. PREVENTION AND AVOIDANCE
The following actions can be taken to avoid or minimize the risk from this threat.


1.1 User behavior and precautions
Users should be aware that email messages with malicious content may appear to have been sent by people known to them, and as such the fact that the sender is known does not guarantee the safety of any particular message.

Spam emails may contain malicious links that have been disguised or otherwise made to appear benign. Users should exercise caution when following links in email messages, especially if:
  • The sender is not known
  • Given the sender, the characteristics of the email are unusual
  • The link is to an unknown domain or an executable file

Users should avoid opening email attachments unless their authenticity can be verified.

The downloading of files using peer-to-peer file-sharing networks can lead to infection. Users should avoid downloading files from unknown or untrustworthy sources, including fake video Web sites that may serve the Trojan executable under the guise of it being a codec that is required to watch a streaming video.

Users can mitigate the risk of infection by being careful about clicking links found on Web sites, such as blogs and forums where there is potentially little control or quality checks on the content. Basic checks such as hovering with the mouse pointer over the link will normally show where the link leads to. Users can also check online Web site rating services such as safeweb.norton.com to see if the site is deemed safe to visit.

When performing searches in search engines, users should treat any results returned with caution and double-check them before following the links. If pop-up advertisements are displayed, users should not click on them or follow any links within them.

Users offered an unfamiliar security product by way of pop-up messages or other similar methods while browsing the Web, should exercise extreme caution and, if in doubt, not download and install the software. It is generally safer to buy from a well-known or trusted brand site or buy a product that can be physically bought from a local shop.

The following file names are commonly used for the installer components of Trojan.FakeAV. Users should avoid downloading and running programs with file names that are the same or similar to those listed below:
  • Av.exe
  • Ave.exe
  • Contract.exe
  • Ecard.exe
  • Eticket.exe
  • Install.exe
  • Invoice.exe
  • Msa.exe
  • Msb.exe
  • Postcard.exe
  • Settings.exe
  • Video[1].exe



1.2 Patch operating system and software
Users are advised to ensure that their operating systems and any installed software are fully patched, and that antivirus and firewall software is up to date and operational. Users should turn on automatic updates if available, so that their computers can receive the latest patches and updates when they are made available.



2. INFECTION METHOD
This threat is known to infect computers through a number of methods. We will examine each of these methods in more detail.


2.1 Spam email
Spam email is one of the primary methods used to distribute programs of this nature. Contents of spam emails are frequently changed and updated. The following are some representative samples of the types of emails that are used for propagation of these programs.

Subject
Update for Microsoft Outlook / Outlook Express (KB910721)

Attachment
officexp-KB910721-FullFile-ENU.zip

Or

Subject
A new settings file for the [EMAIL ADDRESS]@ [DOMAIN].com has just be released

Email body
Dear use of the [DOMAIN].com mailing service!

We are informing you that because of the security upgrade of the mailing service your mailbox [EMAIL ADDRESS]@ [DOMAIN].com settings were changed. In order to apply the new set of settings open this file:

http://[DOMAIN NAME]/settings.exe
Best regards, [DOMAIN].com Technical Support.





Or

Subject
Conficker.B Infection Alert

Email body
Dear Microsoft Customer,

Starting 12/11/2009 the 'Conficker' worm began infecting Microsoft customers unusually rapidly. Microsoft has been advised by your Internet provider that your network is infected.

To counteract further spread we advise removing the infection using an antispyware program. We are supplying all effected Windows Users with a free system scan in order to clean any files infected by the virus.

Please install attached file to start the scan. The process takes under a minute and will prevent your files from being compromised. We appreciate your prompt cooperation.

Regards,
Microsoft Windows Agent #2 (Hollis)
Microsoft Windows Computer Safety Division

Attachment
open.zip





Known topics used
Symantec has observed the following topics used in spam emails used to distribute variants of this threat family:
  • Security upgrades
  • The Conficker (Downadup) worm


2.2 Social networking
With the use of social networking sites growing at such an explosive rate, it was inevitable that malware authors would attempt to utilize these services as a way to reach a wider audience. Facebook and Twitter profiles have been hacked in order to post updates pointing to sites that host misleading applications. The lure in these cases may include popular videos or content of a pornographic nature.











2.3 Search engine poisoning
Vendors of these programs can often take advantage of high profile news items or events that may be commanding considerable interest on the Internet and in the media. In fact, it is an unfortunate and now repetitive trend that whenever a newsworthy story breaks, it is inevitably followed by malware surfing the crest of information lust surrounding such stories. Recent examples include:

Icelandic volcano (search results)




Rozlyn Papa (sample video link)





Chilean earthquake (search results)





Californian earthquake (search results)





Hawaii tsunami (search results)




Tiger Woods motoring accident
Vendors of fake security software often take advantage of interest generated by major events on the world stage, such as major disasters, sporting events, celebrity scandals, and so on.

When such events occur, the interest is often mirrored on the Internet by way of increased Web searches for keywords relating to those events. For example, during the Tiger Woods incident in November 2009, search terms related to the event – including the names of the people involved in the incident and the area where they lived – became some of the top terms searched for in well-known search engines. The authors of the misleading applications wasted no time to take advantage by poisoning the search engine results.





When a user searches for these terms, results containing malicious links may be returned. When clicked on, they may be redirected to a site that hosts a misleading application.

The most popular search terms at any given time are recorded here by Google. These terms may result in poisoned search engine results that may ultimately lead to sites that host these misleading applications.

A poisoned search engine link may present the user with the option of watching a video that relates to the topic they have searched for. However, this video will not play immediately.





Instead, the user will be instructed to download and run a file in order to watch the video. This file may be portrayed as a codec, a Flash installer file, or an ActiveX control, when in fact it is a copy of a misleading application.








In other cases, the poisoned search result will redirect the browser to a Web site that hosts a fake online security scanner, which attempts to perform a fake scan within the browser window. The fake scan is designed to look like a legitimate Windows operating system window. The fake scan window may include icons, progress bars, and names of drives and folders that commonly exist on computers with Windows installed.





When the fake scan has completed, the program then displays a list of falsely detected files.








The fake scan windows mimic the look and feel of different versions of the Microsoft Windows operating system, including Windows XP, Windows Vista, and Windows 7.

The user may then be instructed to purchase the software in order to remove these falsely reported threats.





Symantec has produced a video that illustrates several of the infection techniques discussed in the above section. The video also demonstrates some of the devious tricks that the threat can use in order to increase the apparent severity of the fake detections.



3. FUNCTIONALITY
The previous section described several of the techniques that vendors use in order to introduce the program on to the user’s computer, and once installed the program may then immediately begin its deceptive actions.


3.1 Pop-up messages
These program attempt to convince the user to purchase a license for the application in order to remove various falsely reported threats. It may display pop-up alerts requesting that the user allow the program to perform a scan of the computer. These pop-up alerts are periodically displayed until the user allows the program to perform the scan.
















3.2 Fake antivirus scans
When the user decides to allow the program to initiate a scan of the computer, the scan may operate in a number of ways:
  • Some applications perform a fake scan with variable results, but always detect at least one malicious object.
  • Some applications do actually scan the computer, but use a database filled with clean objects that are reported as malicious entities.
  • Some applications create their database of malicious entities by parsing security vendor writeups for infection artifacts.
  • Some applications may drop files that are then ‘detected’.








After the scan has been performed, the user is presented with a number of files – always at least one – that have supposedly been detected as malware.

Once the program has reported the alleged existence of threats on the compromised computer, the user may be informed that the version of the program they are using is a trial version and must be activated in order to remove these falsely reported threats.





The user is required to purchase a license to activate the software at a typical cost of up to US $100. The activation price may depend on the duration of the license and/or whether ‘technical support’ is included.





3.3 Clones
These misleading applications are constantly cloned and rebuilt with new user interfaces, which are built to a high standard in order to appear professional.

The following are some examples of misleading applications in circulation at the time of writing.

VirusDoctor




VirusProtector




PCDefender





4. ADDITIONAL FUNCTIONALITY
The programs may also often employ various techniques in order to frustrate, frighten, and annoy the user into paying for a license for the program.


4.1 Fake loss of desktop
SecurityToolFraud periodically causes the compromised computer to restart. After it restarts the program overlays a black window over the desktop making it appear as if the desktop, icons, and wallpaper have been deleted.





4.2 Fake restarts
Antivirus2010 displays the following misleading image to the user claiming that their version of the misleading application is unregistered. The image makes it appear as though the computer is restarting, but in fact, the computer does not restart – it is merely an animated image that is displayed by the program.





4.3 Fake system errors
Another trick, which has been employed by a misleading application named NortelAntivirus, is to display a ‘blue screen of death’ (BSOD). Rather than actually causing a BSOD, however, the program simply displays a fake animation similar to that shown by Windows when a genuine error is encountered.





4.4 Blocking execution of programs

SecurityToolFraud has a feature to intercept requests to run applications such as Notepad and falsely reports that Notepad.exe is infected, in this case with Lsas.Blaster.Keyloger. After it reports the infection the program window is closed, effectively performing a denial of service preventing the program from being accessed. The misleading application may carry out this type of action on many different common applications such as MsPaint and Regedit.





4.5 Mimicking well-known antivirus brands
NortelAntivirus has been designed to have the same appearance as Norton Antivirus. Clones of other well-known antivirus products are also known to exist.








4.6 Bogus reviews and awards
Vendors may create Web sites containing bogus reviews of the misleading applications. The Web sites may declare that the misleading application performs better than other well-known antivirus brands. They can also falsely claim that the product has received several prestigious awards and positive reviews from various recognized software magazines.





4.7 Professional-looking product pages
In order to further convince the user to purchase the product, many of these applications also have a professionally designed product Web page. These Web sites borrow techniques and content from legitimate antivirus vendor Web sites to make them appear authentic.





4.8 Multiple language user interface
Some versions even provide multiple language support in their user interface in order to increase the perception that they are legitimate applications.





4.9 Live online support
To further demonstrate the professionalism behind the operations of the misleading application scams, some versions even have live online support staffed by real humans. Symantec has published a blog article that describes how some misleading application vendors provide live online support, actually staffed by humans, to help convince unwitting users to part with their hard-earned cash. This further demonstrates how well developed this scam business model has become.





In summary, all of these tricks add up to a powerful and effective arsenal of techniques that the misleading application pushers can call upon to further their aims.



5. ADDITIONAL INFORMATION


5.1 Affiliates

It is estimated that one vendor is responsible for approximately 80% of all misleading applications. The vendor is known by many aliases, including the following names:
  • Bakasoftware
  • Pandora Software
  • New Concept Business S.L.
  • Innovagest 2000


The vendor or their affiliates create the Web sites that host and distribute the misleading applications. It is common for these affiliates to sub-contract some work to further affiliates. This way, by the time the program is installed on a computer, it may have been re-packaged with other malware (which has been included by the affiliates).

The involvement of the affiliates can vary from creation to final production of the fake security software, and may include any of the following roles:
  • Application programmer – The role of the programmer is to write and maintain the code base that is used in the program.
  • Designer – The role of the designer is to design the user interface and alert windows of the program.
  • Packer creator – The role of the packer creator is to generate ways to avoid antivirus detection.


Applications are often rebranded as clones. The clones can take any of the following formats:
  • The same user interface (UI) can have a different code base
  • The same code base can have a different UI
  • Different custom packers can be used


The clones are released daily to weekly and the code bases can change anywhere from weekly to monthly. The affiliates are responsible for distributing the misleading applications using the techniques discussed earlier.


5.2 Resources
For more information relating to this threat family, please see the following resources:

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.
Writeup By: Éamonn Young and Eric Chien
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver