The Dangers Rogue Antivirus Threats Pose

Written by: Danielle Veluz

FAKEAV malware continue to evolve in terms of technology and social engineering tactics to keep up with the ongoing security industry efforts. The latest FAKEAV variants have rootkit components similar to other prominent malware families such as ZeroAccess and SpyEye. Moreover, FAKEAV, which typically targeted Windows-based systems are also targeting Mac OS X-based systems. This is seen in the emergence of bogus Mac antivirus software like MACDefender and MacSecurity. Even with the FAKEAV volume decline, its distribution will likely recover since cybercriminals can monetize large sums of money from stolen information.

How does this threat arrive on users' systems?

Rogue antivirus software may arrive on users' systems through a variety of means. Hackers use different techniques such as spamming users with email messages containing links to rogue antivirus or FAKEAV download pages. Rogue antivirus software also pose as legitimate antivirus or anti-spyware applications that show up as results when users search in popular engines. FAKEAV variants may also pose as codecs that users need to download and install to view supposed videos.

Search engine optimization (SEO) poisoning is a technique cybercriminals use to redirect users to malicious sites. Social networking sites and malvertisements can also lead to compromised or malicious sites that ultimately lead to FAKEAV downloads.

How do newer variants of FAKEAV arrive on the users’ systems?

OSX_DEFMA.B (one of the FAKEAV detections for Mac) arrives on users’ systems via spammed malicious links on the social networking site, Facebook. Users are then redirected to FAKEAV download pages when they click the URL posted on their walls, they are redirected to FAKEAV download pages. Cybercriminals are also abusing Google’s image search feature, rigging top search results for certain keywords and image results. Once users click the malicious links, they are pointed to sites where they can download OSX_FAKEAV.A or sites where the Black Hole Exploit pack is hosted.

Figure 1. Facebook post leading to MACDefender

What are the bogus product names for Mac that FAKEAV used?

  • MacSecurity
  • MacProtector
  • MACDefender
  • MacSweeper
  • iMunizator
  • Mac Shield
  • MacGuard

Figure 2. Graphic user interface of MACDefender

What happens to FAKEAV-infected systems?

FAKEAV software make use of graphical user interfaces (GUIs) and pose as legitimate antivirus applications. Infected systems often display pop-up windows showing fake warnings of malware infection. This forces affected users to purchase full versions of malicious software to supposedly rid their systems of nonexistent malware infection. Using scare tactics such as alerting users of alarming changes to their systems that cause panic is also usual for rogue antivirus applications. Some FAKEAV variants may also be considered "ransomware," as these encrypt files to force affected users to purchase the rogue software.

More recent variants hosted in high-traffic sites also have script-based capabilities, allowing them to infect even more systems. Newer variants can also modify the Layered Service Provider (LSP) to prevent Web browsers from accessing certain sites, replacing them instead with fake security alert messages.

How does this threat affect users?

FAKEAV-related threats have a wide range of user implications. FAKEAV variants use stealth mechanisms, too, by injecting their .DLL or .SYS components as rootkits into legitimate running processes (e.g., explorer.exe, winlogon.exe, etc.) or their own running processes. Doing so allows them to hide malicious files and components from the users or antivirus software, thus preventing their removal.

More recent malware versions are capable of terminating processes. The continuous appearance of pop-up windows and fake warning messages are also signs of FAKEAV infection. Some variants also display fake warning messages in Web browsers when users try to use search engines.

Apart from their systems suffering from system infection, users are also scammed into paying for FAKEAV licenses and giving out their credit card information to cybercriminals.

What are the significant developments in the latest FAKEAV variants?

10th generation FAKEAV variants download a rootkit component that enable the FAKEAV malware to hide their malicious processes and files. This is done to avoid being easily detected and remove from the users’ systems. In addition, it can block rootkit detection tools such as GMER and RootkitBuster thus making it difficult for security researchers to analyze.The 11th generation FAKEAV variants can infect Mac OS X systems and propagate via social networking sites like Facebook and Twitter. It also points users to adult sites.

What is the driving force behind this threat?

These imaginary threats have but one driving force - to trick users into thinking that supposed infections can be removed if they activate the FAKEAV software by giving out personal details. The popularity of the Internet as a means of communication and for information exchange leads users to proactively utilize it.

This makes the Web an ideal playground for cybercriminals to thrive in. Users may be easily lured, after all, into clicking links in blogs and social networking sites with legitimate or reputable domains. They may not even consider the postings in these as potential infection vectors. The effects of FAKEAV infection have been well documented. At the very least, users lose time by responding to false alerts and by closing windows. More importantly, however, users can also incur financial losses if they reveal pertinent personal information (e.g., credit card numbers) while in malicious sites.

Rogue antivirus applications are a lucrative business. This is seen in the FAKEAV affiliate network, BeeCoin, that amassed more than $120,000 and installed FAKEAV malware on 214,000 systems in just six months (Jan-June 2011). Moreover, in just a month, the Mac FAKEAV campaign gained 300 million hits, affecting many users.

What makes this threat persistent?

Most tech-savvy users are already familiar with what rogue antivirus applications do. The persistence of this threat lies in how the variants arrive on systems, usually as the final payload of blackhat SEO attacks. The regular occurrence of SEO poisoning has become so rampant that cybercriminals have mastered the use of this technique to easily redirect users to specially crafted malicious sites. The series of redirections is another factor into what makes this threat persistent. These redirections make the download and final payload URL difficult to block and/or detect.

Enticing users to download fake codecs has also proven to be an effective social engineering tactic that also makes this threat persist. The growing number of users listed on social networking sites such as as Twitter and Facebook has also become vital for cybercriminals to further spread FAKEAV.

In addition, cybercriminals now employ new domain names to host exploit packs, malware, and landing pages to lure users into installing rogue applications. FAKEAV distributors also generate modified binaries to avoid detection and removal.

Lastly, the FAKEAV business model paved way for the prevalence of this malware. According to senior threat researcher Nart Villeneuve, the meta FAKEAV affiliates play a crucial role as the ‘middleman’ in the FAKEAV business model. As the ‘middleman’, the affiliates distributed FAKEAV malware for cybercriminals who don’t have many connections in the underground.

What are the tell-tale signs of rogue antivirus scanners?

There are several indications of a fake antivirus scanner users' systems. A typical tell-tale sign of a fake antivirus program operating on a system is when it installs itself then proceeds to "scan" the PC without user intervention. Fake antivirus software also use deliberate ways to grab the user's attention such as reminding users to activate the product. An example of a fake dialog box can be seen below:

More tips and tricks to spotting FAKEAV can be found in this blog entry:

What are some of these fake antivirus products?

Several fake antivirus products are currently affecting users’ systems alerting them of a fake scan. These rogue applications possess convincing GUIs. To the naive Internet surfer and the untrained eye, the fake programs could easily pass off as legitimate.

Samples of the rogue software include names such as Microsoft Security Essentials Alert, Internet Security, SecurityCenter, AV Security Suite, Security Tool and Desktop Security. Some screenshots can be seen below.

What can we expect from developing FAKEAV variants?

As FAKEAV variants evolve from its older variants, users continue to see a slew of phishing and pharming sites, as well as spoofed antivirus products and websites. Other FAKEAV variants even attempt to spoof legitimate antivirus products.

User awareness for FAKEAV has grown since its earlier variants, which is the reason that hackers are also likely to target legitimate antivirus websites by doing the following:

  • HOSTS file modification - seen in old FAKEAV variants
  • DNS settings modification- exhibited by 9th gen
  • Website spoofing
  • Compromising legitimate antivirus websites

FAKEAV has come a long way from its first generation of adware downloaders. FAKEAV has improved its fake alerts while doorway pages are increasingly using Java vulnerabilities. Browser-specific payloads for FAKEAV have also evolved by mimicking browsers' interfaces and site design which can easily lead users to believe that the alerts they see are legitimate. FAKEAV variants now use audio alerts as part of their behavior. The constant improvement and evolution of FAKEAV is a clear indication that those behind rogue antivirus software propagation are still honing their techniques.

Security researchers see the possibility that FAKEAV will target other in-demand devices such as iPhones, iPads, and iPod Touch devices. According to mobile solutions product manager Warren Tsai, any browser on a mobile device is able to render fake scans once they users visit a FAKEAV download page.

Trend Micro is monitoring the threat landscape for other FAKEAV variants for Macs as prompted by the consecutive attacks last May 2011.

Are Trend Micro product users protected from this threat?

Yes. Trend Micro™ Smart Protection Network™ delivers security infrastructure that is smarter than conventional approaches. Leveraged across Trend Micro's solutions and services, Smart Protection Network combines unique in-the-cloud reputation technologies with patent-pending threat correlation technology to immediately and automatically protect your information wherever you connect.

Smart Protection Network protects users from future threats by blocking user access to malicious sites where FAKEAV may be downloaded with Web reputation service and by detecting and blocking the execution of related detections via the file reputation service.

Mac OS X users can use Trend Micro Smart Surfing for Mac that detects all known Mac malware and its components.

What can users do to prevent this threat from affecting their systems?

It is important for users to exercise caution when opening email messages and clicking URLs. Untrustworthy sites are likely to host compromised pages. Avoid downloading and installing software from unknown sources. Familiarizing oneself with the latest trends in the threat landscape may also be helpful so as not to become a victim of such attacks. Users are also advised to apply the latest security patches from third-party vendors to ensure that their software cannot be exploited for known vulnerabilities. Make sure, however, that these patches still support your current OS.

FAKEAV has come a long way from its first generation of adware downloaders. FAKEAV has improved its fake alerts while doorway pages are increasingly using Java vulnerabilities. Browser-specific payloads for FAKEAV have also evolved by mimicking browsers' interfaces and site design which can easily lead users to believe that the alerts they see are legitimate. FAKEAV variants now use audio alerts as part of their behavior. The constant improvement and evolution of FAKEAV is a clear indication that those behind rogue antivirus software propagation are still honing their techniques.



Experts' Insights

“FAKEAV providers use scare tactics to trick users into downloading and installing their malicious creations. Remember that seeing warning messages or fake system scans does not indicate system infection. Your system gets infected only when you panic and run the malicious applications.”Nart Villeneuve, Senior Threat Researcher

"Originating from seemingly benign adware, FAKEAV variants continue to grow and develop more insidious means to extract money from affected users. The 11th generation of FAKEAV is a clear reminder of how persistent FAKEAV is; it has chased users even on a completely different platform that is supposed to be secure - Mac OSX. However, these fraud applications continue to persist not because users’ systems get infected, but because users purchase the fake antivirus when they get infected. When you buy fake antivirus software, not only do you waste money on a useless software, you also motivate cybercriminals to continue their fraudulent schemes."Roland Dela Paz, Threat Response Engineer

“Being one of the most profitable malware around, FAKEAV have undergone numerous modifications just to keep the antivirus industry at bay. It has gone a long way from its BSOD roots as recent generations are now successfully crossing over to other platforms. Some are even using sophisticated rootkit technology. The signs are all there — FakeAV and its proponents are not going away any time soon.”Jessa dela Torre, Threat Response Engineer

Related Blog Entries