CounterMeasures - A Security Blog � Fake AV

How to check if you are a victim of Ghost Click

Rik Ferguson — Wed, 09 Nov 2011 22:27:22 +0000

used by permission from flattop341 Flickr photostream

Trend Micro and the FBI are very pleased to announce today the dismantling of a criminal botnet, in what is the biggest cybercriminal takedown in history.

This concerted action against an entrenched criminal gang is highly significant and represents the biggest cybercriminal takedown in history. Six people have been arrested through multinational law enforcement cooperation based on solid intelligence supplied by Trend Micro and other industry partners. more than 4 million victims in over 100 countries have been rescued from the malign influence of this botnet and an infrastructure of over 100 criminal servers has been dismantled with minimal disruption to the innocent victims.

If you are worried that you might have been a victim of this criminal activity, the FBI have made an online tool available which will allow you to check if your DNS server settings have been tampered with.

First you will need to discover what your current DNS server settings are:

On a PC, open the Start menu by clicking the Start button or the Windows icon in the lower left of your screen, in the Search box type “cmd” and hit return (for Windows 95 users, select “Start“, then “Run“).This should open a black window with white text. In this window type “ipconfig /all” and hit return. Look for the entry that reads “DNS Servers” and note down the numeric addresses that are listed there.

On a Mac (yes they can be victims too), click on the Apple icon in the top left of your screen and select “System Preferences“, from the Preferences panel select the “Network” icon. Once this window opens, select the currently active network connection on the left column and over on the right select the DNS tab. note down the addresses of the DNS servers that your computer is configured to use.

You can check to see if these addresses correspond to servers used by the criminals behind Operation Ghost Click by using this online tool provided by the FBI, simply enter the IP addreses, one by one and click the “check ip” button.

If you feel that you computer may have been infected, you can visit Trend Micro’s HouseCall for a free scan and clean-up and notify the FBI by submitting this form. You should also contact your Internet Service Provider for advice on restoring your legitimate DNS settings.

Ongoing updates on this threat can be found on our Operation Ghost Click landing page.

Mac malware: Same shizzle, different dizzle.

Rik Ferguson — Fri, 27 May 2011 12:18:14 +0000

You may have read in the press recently about the Mac Defender scareware that is affecting many OSX users, to the extent that Apple have even promised to deliver a removal tool and a fix to their customers. Trend Micro’s Smart Surfing for Mac has been protecting against this threat from the outset, both by detecting and blocking the malicious files, but also importantly by blocking access to the criminal websites being used to propagate this threat. You may be surprised to hear though that Mac Defender is not the first “scareware” application targeting Mac users and trying to trick them into parting with their cash and their credit card details.

Malware for Mac OSX is nothing new, and the increasing popularity of the platform is driving criminal interest. In addition to Mac Defender (May 2011), there are already several threats in the wild that affect Mac OS X, the Leap worm (Feb 2006) that propagates through iChat , the RSPlug Trojan (Oct 2007), that drops DNS changing malware, the MacSweeper & IMunizator (Jan & Mar 2008) scareware, Jahlav (Dec 2008) another DNS changing malware, Krowi (Jan 2009) responsible for the first Mac OS botnet and HellRTS (April 2010) another Trojanised installer, this time for iPhoto which gives attackers remote control over the infected computer.

MacSweeper, IMunizator and now Mac Defender are typical scareware Trojans. In 2008 they were delivered by malicious advertisements and in 2011 criminals have adopted the tried and tested tactics so successful in the world of Windows, Blackhat Search Engine Optimisation. Booby trapped web pages are created, designed to show up in the first page of search results for popular terms. Simply clicking the link to one of these pages is enough to start the infection process. The latest version has even worked out a method to bypass the requirement for the user to type an admin password in order to install. Affected users are presented with a professional look application and informed that multiple security issues have been discovered on their computer. Subsequently they are duped into buying a completely bogus piece of software to “fix” those issues, a tactic with which Windows users will be only too familiar. RSPlug and Jahlav have both been known to pose as video codec installers, another tactic long popular on the windows platform. Once installed, DNS changing malware hijacks connections to sites such as eBay, PayPal and some banking sites. Often the malicious hosting site will distinguish whether the browser is Mac or PC based and serve up the correct flavour of Trojan demonstrating that it is the same skilled and experienced malware business that is now setting its sights on the Apple community. It is also worth nothing that Mac Forums were subjected to a barrage of spam encouraging people to visit the hosting sites in what appeared to be a co-ordinated campaign. Also important is the fact that these malware examples are not single discrete files, they represent entire families of malware, where new variants are continually being released to defeat signature based detection.

These examples of techniques long tried and tested in the Wintel world should serve as a salutary warning to the Mac community, and it seems that Apple themselves may finally be listening. Malware has existed on the Mac platform since pre OS X days, as have anti-malware tools. However the radical change in the nature of the malware industry coupled with Apple’s huge success in recent years, means it is a trend which is now far more likely to be exploited for malicious ends and at the financial cost of the end user in the coming months and years.

For many years now Mac users have believed themselves to be invulnerable to malware, and have been encouraged in this belief by Apple themselves on more than one occasion, or ”Safeguard your data by doing nothing“. This complacency leaves many Mac users with the mistaken belief that either Macs are not vulnerable to malware, or that none exists for their platform or both, impacting their ability to make informed decisions when downloading or installing new software, opening attachments or visiting questionable sites.

Cybercrime and malware in today’s world is big business, and one that ever more closely resembles the world of legitimate business, including outsourcing, R&D budgets, Malware as a Service platforms, SLAs and even EULAs. In this shady world of business it would defintely be fair to say that as the Mac market share expands and the user base grows, so does its perceived potential to the cybercriminal. It’s all about Return on Investment, and the fact that that user base is largely unprepared and the computers themselves largely unprotected only increases the attractiveness.

Malvertising, who’s responsible?

Rik Ferguson — Fri, 01 Apr 2011 12:18:05 +0000

Online advertisements are a part of our daily browsing experience as they are also an essential part of companies’ online marketing strategies. So how do we know, when visiting websites that carry these networked advertisements, whether we are opening ourselves up to criminal compromise through malicious ads?

Tweet from the New York Times after they fell victim to criminal ads

Web site owners use trusted content networks to provide advertisements for their websites, and criminals are actively targeting this trust relationship as it represents a weak link in the chain of content control. Criminals create shell companies to place advertisements that hide malicious content in ads that are subsequently placed with high profile advertising networks. These malvertisements are then syndicated across many hundreds of web sites silently infecting as many victims as possible, as these examples illustrate.

Malvertisments, as they are referred to, have become increasingly common over the past few years and continue to be a growing problem. The potential number of victims available to criminals through a syndicated ad will often far outstrips the potential return for compromising an individual website. Internet users are unknowingly putting themselves at risk when they visit legitimate websites, which happen to be carrying malvertisements, designed to invisibly and automatically infect them through drive-by downloads. A drive-by download usually involves a chain of events; the victim visits a website which in this case is carrying a malvertisement, the malvertisement will contain content (most often JavaScript or Adobe Flash) which will be automatically executed by the browser. The purpose of the JavaScript is to automatically and invisible redirect the browser to a server hosting exploits (commonly a criminal exploit kit such as Yes!, Eleonore or Phoenix for example) these exploits are then used to push out the final malicious payload of the criminal’s choosing. In some cases exploits for technologies such as Adobe Flash are embedded directly within the malvertisements and this has the same end result of delivering a malicious payload. Once infected, your PC is compromised or your virtual wallet lifted in a number of ways; from pushing fake security software which attempts to fool the you into believing that your PC is infected with any number of entirely bogus malware which only this (paid-for) application can remove, to criminals stealing your personal or financial details and/or obtaining remote access to your PC.

So where does the responsibility lie? Is it with the web site that is hosting the malicious adverts, the network distributing them, or the consumer who visits the website? Really the responsibility, as well as the potential for damage, is shared. Web site owners and ad-networks alike suffer embarrassing brand damage when their customers are infected and the victim of course suffers the pain of information or identity theft and financial loss.

It is certainly true to say that if the right checks and balances were in place the problem would largely cease to exist, at least on legitimate websites. Clients of ad-networks should be applying pressure to their provider of choice to ensure that the appropriate checks are made before the advert goes out. Ideally, automated systems need to be in place at the advertising content providers, to run the ads through a sandbox before they are released into the public domain, checking for any kind of active or malicious code. Third party providers should perform specific checks to verify URLs and detect any unexpected or unwanted behaviour such as automated redirections, even if not malicious no web user wants to be bounced off to a third party website simply as a result of rendering an ad in their browser and no website owner would want their visitors stolen in this way either!

In the meantime, Internauts should ensure that they have the appropriate anti-malware software installed on their PC to minimise the risk. Free options include tools such as Browser Guard, which blocks exploit attempts and detects malicious JavaScript, stopping it from executing. When choosing anti-malware software, it’s important not to focus purely on software that will scan for bad files, but also that will stop PCs (and not just browsers) from connecting to malicious destinations.

Bredolab, dead, dying or dormant?

Rik Ferguson — Tue, 26 Oct 2010 16:14:07 +0000

As I blogged earlier today, Dutch law enforcement took action to remove 143 servers from the internet which were acting as command & control servers for the Bredolab botnet.

In an update to that news, they have also announced the arrest of a 27 year old Armenian citizen suspected of being the brains behind the operation.

So is Bredolab, dead, is it dying or is it simply dormant?

The glib answer is that we don’t know, but let’s consider the current situation. Many if not most of the victim machines infected by Bredolab remain infected, the botnet has simply been decapitated. How effective has that decaptiation been? The graph below shows the marked decrease in the number of Bredolab samples collected from a pool of Bredolab C&C servers, this shows clearly the effectiveness of the law enforcement action.

Bredolab binaries downloaded over time

What we do know though, is that there is at least one Bredolab C&C server still active and that it is not hosted in the Netherlands, where there is one, there is the potential for more.

TrendLabs continue to monitor the situation, but it is clear from past experience with botnets such as Mega-D and Cutwail that criminal software displays remarkable tenacity and a disturbing ability to rise phoenix-like from the ashes of a concerted take-down attempt. Let’s hope that is not the case with Bredolab.

Dutch Authorities move on Bredolab

Rik Ferguson — Tue, 26 Oct 2010 10:53:49 +0000

According to a press release today from the High Tech Crime Team of the National Crime Squad in the Netherlands, action has been taken to isolate 143 servers from the Internet.

The servers were actively involved in the Bredolab botnet, from the release they would appear to be command and control servers. The servers were hosted by a company called LeaseWeb, one of the largest hosting providers in the Netherlands, who fully cooperated in the coordinated takedown operation.

Bredolab infection mails

Bredolab is primarily a downloading platform and has served to distribute fake AV and ZeuS to victim computers. The botnet, which originated in Russia, only rose to prominence in August 2009. Dutch Authorities estimate that it was capable of infecting 3 million computers per month at its peak. The primary initial trigger for infection with Bredolab was usually though mail, but infection vectors have been widely abused and also include drive-by download and even propagation through other forms of malware, for example, Cutwail has been seen to drop Bredolab as a payload, and Bredolab has been known to return the favour!

It is unclear right now whether the botnet has been effectively decapitated or it this only represents a setback to the criminals behind it. The bots remain infected with the malware so if alternative command & control servers exist, then reconfiguration and regrouping remains a possibility. TrendLabs are investigating current activity levels of the botnet and I will update this blog as soon as new information is available.

Kaspersky download site hacked to spread fake AV

Rik Ferguson — Tue, 19 Oct 2010 10:47:23 +0000

UPDATE: According to a report in ITPro by Jennifer Scott, Kaspersky have been in touch to confirm that their servers were in fact compromised and the redirection was very real. The breach was made by exploiting “a third party app used for site admin”. The malicious redirection was in place for three and a half hours.
________________________________________________________________________________

Several reports in Kaspersky user forums seem to indicate that the security software manufacturer was recently compromised by cybercriminals trying to punt fake security software.

Fake anti virus software is most often spread through booby-trapped web pages, designed to show up high in search results for popular or newsworthy terms; for example recently people searching for information about the Stuxnet malware were targeted. This is a technique so established that TrendLabs have been able to develop automated tools to proactively monitor and block these pages as they appear. If true, this compromise of a legitimate download site, particularly a security vendor could represent an important new change of tactics by the scareware pushers.

Kaspersky users in three separate forums; Calendar of Updates, YahooAnswers and Kaspersky’s own Kaspersky Lab forum have complained that links to download Kaspersky’s home user security software from their USA download site were redirecting them to a malicious web page pushing fake AV known as Security Tool. One user posted the below screen capture

According to forum posts Kaspersky have stated that there was no compromise of their servers. Somewhat incongruous then is the post by one forum user going by the handle of Micha, who appears to come from Kaspersky Lab in Japan according to his profile. He posted the following:

“Hello,

Thanks, it should be fixed.

Cheers “

Security vendors have often been the target of both malicious and mischievous hackers and without fail, honesty and transparency have always been the best policy in the aftermath of such an event.

Thanks to Donna for the heads-up.

The economics of fear

Rik Ferguson — Tue, 18 May 2010 13:53:09 +0000

In the world of computer security, there are two kinds of anti-virus software – stuff that works and stuff that doesn’t work at all. The problem for the average user is telling them apart, and this is something which criminals can make money from. A lot of money.

Have you ever had a window pop-up on your computer that said something along the lines of:

“Warning!!! Your computer contains various signs of viruses and malware programs. Your system requires immediate anti virus check. Click to perform a quick and free scan of your PC”

You have? Well you’re not alone.

I want to share with you some research carried out by one of my colleagues in TrendLabs, Bob McArdle. I can’t mention any names for fear of prejudicing ongoing investigations, but to be honest the names are irrelevant as they change so often anyway. Over the course of a year one criminal gang, let’s just call them Company X, made over $180 million US dollars by selling malware to their victims in at least 30 different countries around the globe.

You would be forgiven for asking why people would pay for malicious software and the answer is of course, they had no idea it was malicious in the first place.

The gang creates very convincing looking fake security programs designed to fool the victim into believing that their computer is badly infected. These scareware programs are then distributed by creating web pages designed to rank very highly in search engine results for popular current search terms or newsworthy events. As soon as the malicious search result is clicked a pop-up message like the above appears and the infection chain begins.

Here is a video of one such scam in action related to this incident I blogged about a while ago.

So how did they make so much money? Well firstly while the scan on offer might be free, the bogus results always show the machine to be very badly infected when in fact no scan at all has taken place. The worried user is then prompted to pay for the full version of the “security” software so that the non-existent malware can be cleaned up. So now, you have given your credit card details to criminals, downloaded malware onto your PC and paid somewhere between $50 – $100 US dollars for the privilege. This game is a volume one – if the gang can redirect 100,000 searches and only 1% of them pay for the product – they net $50,000 US for a day’s work.

The second part of the business model involves these machines that the criminals have now infected. As the infected user surfs the web, the malicious software quietly replaces all of the ads the user sees with ads belonging to one of the gang’s affiliates, most often pushing fake pharmaceuticals and the like. The gang get a kickback of two or three cents every single time an advertisement is replaced. Logs from one of the gang’s servers showed about a million ads replaced per day, netting them another $25,000 US per day, and this was only one of the gang’s botnets. So that’s $25K per botnet, per day.

The third part of Company X’s business model revolved around customer support strangely enough. Company X’s biggest problem of course, was credit card refunds. Customers who realised that they had been scammed would contact their card provider demanding a refund. After a while the credit card provider would refuse to do business with Company X and Company X would need to create another fake subsidiary company, complete with Fake IDs for all of their directors. To combat this, these criminals decided to invest heavily in call centres – setting up call centres in the US, Asia and Eastern Europe.

You see the Rogue AV would regularly ask the users to update their version, paying a small fee to do so – and would annoy the user with pop-ups until they did so. A lot of customers complied, however others rang the support line demanding the product be fixed. Each Rogue AV had a couple of settings that could be altered so that the users would never be prompted for updates again – the staff at the call centres simply stepped the users through to this point, all for the modest fee of $20 for the phone call.

Think before you click, not all security software is created equal.

Skype “Online Notification” leads to Fake AV

Rik Ferguson — Thu, 01 Oct 2009 17:52:21 +0000

In a sneaky bit of social engineering scareware pushers are registering convincing sounding monikers as Skype user names and attempting to lead people to rogue anti-malware sites.

Skype Rogue AV lure

The user name that is displayed in the Skype chat window is “Online Notification” and the associated user names appear on many variations of that theme; online.notification.america9, online.notification.america10 etc. This tactic lends this attack a veneer of credibility that is missing from the usual “Hi, I’m a sexy lady” or “Hi, buy my Chinese kitchen equipment” scams that are more familiar over Skype.

To the unwary, because of the well chosen user name, these messages appear to be something other than a stranger sending you a message, they appear to be some kind of real online notification.

The full text of the Skype message is

“******************************************

URGENT SYSTEM SCAN NOTIFICATION ! PLEASE READ CAREFULLY !!

http://www. {rogueAV domain}.net/

For the link to become active, please click on ‘Add to contacts’ skype button or type it in manually into your web browser !

FULL DETAILS OF SCAN RESULT BELOW

******************************************

WINDOWS REQUIRES IMMEDIATE ATTENTION

ATTENTION ! Security Center has detected malware on your computer !

Affected Software:

Microsoft Windows Vista

Microsoft Windows XP

Microsoft Windows 2000

Microsoft Windows Server 2003

Impact of Vulnerability: Remote Code Execution / Virus Infection / Unexpected shutdowns

Recommendation: Users running vulnerable version should install a repair utility immediately

Your system IS affected, download the patch from the address below !

Failure to do so may result in severe computer malfunction.

http://www. {rogueAV domain}.net/

For the link to become active, please click on ‘Add to contacts’ skype button or type it in manually into your web browser !”

The modus operandi is annoyingly familiar, just the medium and method are slightly novel. As I’m sure you have already guessed, these messages lead to fake anti-virus programs designed to extort cash from the victim. The same message appears with several different destination URLs, the advice in every case remains the same.

1 – Ignore the message

2 – Block the user (and check the “Report abuse from this person” box when you do so).

3 – Sit back and sip your cup of tea knowing you have done your bit in the fight against cybercrime today.