Scareware

Malvertising an Ever-expanding Threat

As if we don’t already have enough to deal with, it seems that malvertising–a technique where malicious code is placed in an online ad to either mislead the user or infect their computer—is on the rise. Microsoft recently filed five lawsuits against unnamed individuals accusing them of posting ads containing malicious and deceptive code on its MSN advertising network. And when Microsoft stands up and takes notice against a threat, you know it has some teeth.

The lawsuits Microsoft filed allege that individuals doing business as Soft Solutions, Direct Ad, “qiweroqw.com” (that’s a randomly generated name if there ever was one), ITmeter INC, and “ote2008.info” used malverstisements to either spread malicious code or deceive users into visiting websites that peddle scareware. Microsoft hopes that by filing civil suits in the U.S., the individuals responsible will be discovered and enjoined from continuing to post malvertising.

Recall that last week, as reported in The Register, an ad appeared on the New York Times web site offering a virus scan that then attempted to sell scareware to the user (“NYT scareware scam linked to click fraud botnet”).

As always, I recommend using a secure browser (Firefox with NoScript) and keeping your OS and security software up to date. Oh, yes, and a healthy serving of general caution couldn’t hurt.

Caveat araneo-fluitator! (Let the web-surfer beware!)

What do you think? Leave a comment!

Hacking Skills Help Save a Client’s PC

A client recently called about his home PC saying that there were all kinds of pop-ups telling him he was infected. Naturally, the pop-ups promised to remove the “infection” for $49.95, a typical scareware tactic. I figured this would be a simple job, probably WinAntivirus Pro or some variant of it, and I would be in and out in less than an hour. I was wrong; he had deeper problems.

When I booted his PC, I was confronted by multiple command windows all with the title “desote.exe.” I was able to get to a web page and determine that this file is related to Windows Police PRO, a WinAntivirus Pro variant. I was also able to download MalwareBytes’ Antimalware. It wouldn’t install; desote.exe popped in every time I tried to run MBAM installer. I decided to try a manual removal to get the PC to where I could run MBAM and clean things up later, so I deleted desote.exe, dbsinit.exe and a couple other related files. That was a mistake; Windows lost its ability to run .exe files.

I knew I’d probably have to hack it, so I fell back on an old trick: When .exe files won’t run, change the extension to .com. This worked. I was able to install MBAM, run it, and get the system cleaned up. Turns out that the malware changes the registry key HKCR\exefile\shell\open\command from the (Default) entry of ["%1" %*] to [c:\windows\desote.exe "%1" %*]; since desote.exe was missing, Windows didn’t know what shell to run .exe files with. Besides that, MBAM found rootkit components that would have been difficult to remove manually.

Hacker skills are valuable for us white hats.

Conficker’s raison d’etre? Profit, of Course

More than a week after Conficker’s much-hyped April 1st activation date, the botnet has come to life and is using a P2P communication system to update itself on what is believed to be millions of infected PCs. Along with the update, the worm is downloading scareware known as SpywareProtect2009, according to Alex Gostev of Kaspersky Lab:

One of the files is a rogue anti-virus app, which we detect as FraudTool.Win32.SpywareProtect2009.s. The first version of Kido (Conficker), detected back in November 2008, also downloaded fake antivirus to the infected machine. And once again, six months later, we’ve got unknown cybercriminals using the same trick.

As is typical with scareware, once SpywareProtect2009 is downloaded, the victim will start seeing the usual popup warning messages asking if they want to “clean and protect” their PC (see screen shot below). Of course, this will cost them $49.95. The criminals will no doubt make millions on these fees alone while amassing a huge database of valid credit card numbers that will likely be sold for additional profit.

Threatpost.com has posted an excellent FAQ and also provides a disinfection tool called KKiller for download.