Microsoft has bolstered its Malicious Software Removal Tool this month to include a signature that detects and removes FakeSysdef, a Trojan that has been successfully tricking people by posing as a system performance tool. According to engineers at Microsoft’s Malware Protection Center blog, the Trojan masqueraded as a program called System Defragmenter last December. It’s also surfaced under different names including Scan Disk and Check Disk.
Victim’s run across the program in poisoned search engine results. As Microsoft explains, the malware spread fairly easily thanks to the multitude of exploit toolkits that have the search engine poisoning built in as a feature.
Creators of the Trojan and rogue security software are notorious for using exploit kits and “search result poisoning”, or Black SEO, to launch installers of their malware. For example, malware creators could use an image search poisoning scheme to deliver poisoned search results to users that search for a photo of a popular or public person. When opening a (malicious) returned search results page, the user could become infected by way of a drive-by download that executes
The bad news for victims is that the Trojan can be really pesky. If the message to purchase performance improvements is ignored, the malware “reboots the machine repeatedly until they activate the fake fix.”
FakeSysdef is very much like rogue antivirus programs, which latch onto potential victims by poisoning search engine results. We’ve been keeping track of the highs and lows of rogue antivirus. Brian Krebs of KrebsonSecurity reported last month that international law enforcement was making some headway against Russian cybercriminal gangs peddling rogue antivirus.
There’s no doubt that the game of wack-a-mole will continue in this area.]]>
The Department of Justice and FBI on Wednesday said they broke up two international cybercrime rings that caused more than $74 million in losses to more than one million computer users through the sale of fake security software.
Two Latvians were arrested and more than 40 computers, servers and bank accounts were seized as part of Operation Trident Tribunal, an international law enforcement effort targeting cybercrime, according to the DOJ. Twenty-two computers and servers in the U.S. were seized in connection with the scareware scheme.
One of the criminal groups allegedly sold more than $72 million in fake antivirus software over a three-year period, using a variety of scams to trick nearly 960,000 computer users. Latvian authorities also executed seizure warrants for five bank accounts that allegedly were used to funnel the scam leaders’ profits.
The second group used a malicious online ad to spread rogue antivirus products, authorities said. After the ad began running on a Minneapolis news website, the suspects changed the code in the ad so visitors to the website were infected with malware that launched the scareware, according to court documents. The fake antivirus caused computers to freeze up and generate pop-up warnings; users who didn’t buy the rogue software were unable to access data and files on their computers. Prosecutors said the scam resulted in $2 million in losses. Peteris Sahurovs, 22, and Marina Maslobojeva, 23, were arrested in Latvia in connection with the scheme, authorities said.]]>
TrendLabs engineers have discovered a new trick that uses a phony Adobe update to install a Trojan on victim’s machines.
An unsuspecting victim can fall prey to the trick by visiting a website hosting the malicious code. The engineers, part of Trend Micro’s research team discovered cybercriminals using the scheme to push a Trojan, Troj_Faykdobe, onto victims machines.
“This malware bears identical icons and version details to an Adobe update, which enables it to bypass antivirus software and system analysts, and to trick users into believing that it is legitimate,” wrote Oscar Abendan of Trend’s technical communications team in the TrendLabs Malware Blog.
Analysis of the Trojan was conducted by TrendLabs threat response engineer, Jessa De La Torre. According to De La Torre, the Trojan drops other malware that terminates certain processes and contacts a remote server for orders. It can be controlled by cybercriminals remotely to steal account credentials and other data unknowingly from the victim.
The Trojan does not appear to affect users of Microsoft Vista or Windows 7. It runs on Windows 98, ME, NT, 2000, XP, and Server 2003.
Back in October, the notorious Koobface botnet spread on Facebook using a template spoofing Adobe’s Flash updater embedded within a fake YouTube page. Like the attack technique above, cybercriminals are using legitimate websites to host their malicious code.
The technique of spoofing update utilities has long been used and is growing in popularity as part of the rogue antivirus trend. The scareware uses coding to appear is if it is part of Windows malware threat detection.]]>
Security researchers at SophosLabs have discovered yet another new phishing campaign aimed at users of Amazon .com. A fraudulent Amazon email message claims a Sony VAIO A1133651A laptop has been ordered and is being shipped. The email includes an attached file that supposedly contains the tracking information for the customer.
There’s no surprise at what happens next. Opening the attached file (track.zip) includes an embedded Trojan Horse. In his blog, Graham Cluley of Sophos said the scareware program is designed to look like fake antivirus software.
Of course, this tactic is nothing new. But clearly cybercriminals think it is still an effective route to achieve their goal – to infect as many computers as possible with their malware.
We’ve written about rogue antivirus a number of times in the past. In December, the FBI warned that rogue antivirus losses are exceeding $150 million. Symantec issued a report last year on the scareware phenomenon. In a one year period, Symantec said it documented 43 million rogue security software attempts. It identified more than 250 different flavors of rogue antivirus.
- Matthew DeBarros]]>
The FBI has issued an Intelligence Note, warning of a surge in rogue antivirus tricking people into buying the phony software. The FBI note estimates the rogue antivirus loss to victims to be in excess of $150 million.
The note warns of Web advertisements that serve up the phony software once a person clicks on the advertisement.
The scareware is intimidating to most users and extremely aggressive in its attempt to lure the user into purchasing the rogue software that will allegedly remove the viruses from their computer. It is possible that these threats are received as a result of clicking on advertisements contained on a website. Cyber criminals use botnets to push the software and use advertisements on websites to deliver it. This is known as malicious advertising or malvertising.
We’ve written a number of different blog posts warning about specific rogue antivirus campaigns. Many of the attacks are taking place in Web pages that appear highly in poisoned search engine results. Some security researchers have discovered rogue antivirus being served up on smaller, legitimate websites, which have been hacked and injected with code to pull off the attack.
In October, Symantec issued a report talking about the business of “scareware.” In it, Symantec said it received reports of 43 million rogue security software attempts to install the more than 250 distinct examples of rogue AV software it identified. The data covered a full year, from July 2008 to June 2009.
The scareware phenomenon is moving into social networks as well. Facebook was targeted by the antivirus scammers. Antivirus vendor AVG Technologies discovered that faulty coding in some Facebook applications led users to Russian attack sites pushing out phony antivirus and ultimately malware on victim’s machines. Meanwhile, Panda Security researchers discovered a form of rogue antivirus that incorporated ransomware into the mix. It urged users to buy a security key for $80 to unlock frozen files on their PC.
The FBI is urging consumers who come across these kinds of attacks to file a complaint with its Internet Crime Complaint Center. For enterprises, IT admins and security pros should educate end users about these kinds of attacks. Rogue antivirus can be very tricky, especially for Internet Explorer users, because the coding does a very good job of making the software appear almost part of Windows. It’s very convincing.]]>