Thank you
A really good informative article, it covered every aspect of the scam and gives insight to those of us who are not IT professionals, one of the reasons I read the Reg daily.
Anyone who has a blog has probably seen blog spam; comments to the blog that simply try to entice people to go to some other site. Most of the time the site being advertised is simply trying to boost its search engine rankings to generate more ad revenue. The more links there are to a site, the more popular the search engines …
"This should serve as a dire warning to all: be extremely careful what you trust, and question everything that looks even remotely suspicious. For example, no website can run an anti-malware scan on your computer simply by your visiting the site. Any site that purports to do so is almost certainly run by criminal gangs."
Trandmicro's Housecall can. Although technically it does ask you to authorise a plugin first, be it ActiveX or Java.
Thanks for a great article.
I'm sick and tired of removing this rubbish from client's computers.
Two of them have cancelled credit cards after realising that they'd been scammed.
One of the card providers stated that they'd had quite a few issues with these b**tards. I have to wonder why they don't block the transactions if they already know it's a scam?
I saw this Malware on a friends PC recently. He told me his Norton was just about at the end of its subscription term and he thought it was connected to that. Starting from that assumption, it was very very believable to watch.
I can't recall what gave it away.. I think probably it was because I installed AVG (sans linkscanner) ready to replace the machine hog Norton anyway, and it found almost nothing except: Fake_AntiVirus.
Once that was sorted the machine was much happier. Norton was slugging it far more than this Antivirus 2008 was, though. Something is wrong when the evil stuff is less hassle than the real stuff...
I found this particularly interesting, having removed XP Antivirus from my sister's computer a month or two ago.
I hadn't seen the process by which it infected, and it did have me a little confused, since I'd never touched her computer before, and she claimed she'd been infected by a virus.
She said she had AntiVirus software, but didn't know what it was called, after playing around a bit, I realised it was a fake anti-virus app and was sufficiently impressed, further interrogations of her boyfriend indicated he had removed Norton AntiVirus a week prior to the infection.
Unfortunately I didn't get to see the infection process, or how detailed it actually is, and am now wondering whether the fake "Security Center" is still on her PC.
She now has AVG Free on there, a full system scan reported no threats, so hopefully she is clean.
A very interesting and detailed article indeed.
Thanks for the effort to bring this to light.
Where's the difference to so-called "legitimate" anti-virus vendors?
That software doesn't seem to do anything malicious, but essentially every "legitimate" anti-virus package has been found to have buffer overruns, thus executing code placed in files they scan. In this day and age this cannot be an accident. Ways to prevent buffer overflows have been known for decades now and ways to exploit them are at least known since around 2000.
I've recently spent a couple of days clearing the very same off a machine owned by a colleague (not that it took that long, but I wanted to make sure any recent "updates" were detected properly by the AV / anti-spyware)
Small note to anyone else with the same problem - isolate the machine from the internet, and get the files you need to clean it from a different PC - these damn things are updated on an almost daily basis, so the "good guys" have a very hard time keeping up with the latest variant.
In no particular order, but starting with Sysclean (Trend Micro), throw Spybot S&D, Vundofix, Blacklight (a rootkit detection util from f-secure), Smitfraudfix, and last but by no means least, Spywareblaster at it to detect, clear, and lock down the machine.
Also, in terms of free AV, for the paranoid - get Avira, for the normal user, get Avast (and the MacLoverOSX skin), and my least favourite freebie, AVG (previous experience fixing machines for people tells me to trust it as much as Norton...)
Congrats on a great write-up ! :-)
The spelling and grammar goes wrong earlier than you suggest - even in the 2nd dialog there's a reference to PC "freezes and creahes" (which I guess are supposed to be "crashes"). At this point, anyone reading carefully should have sirens going off in their heads.
Thanks for a well-researched article though, it was a pleasure to read.
Someone I know managed to install this software (or something very similar) and after a few attempts to remove it themselves, they were also misguided enough to pay the $45 in the hope that it would stop bothering them so frequently. Paying didn't make any difference and they got me to remove it about a month later. They also said that there were no other charges on their credit card. Perhaps the number of people who pay the $45 is already high enough and the scammers don't want to 'kill the golden goose' by making more obviously fraudulent transactions.
BTW my wife also managed to stumble onto one of these pages and I can tell you the endless popups are just as annoying even in Linux. She now knows how to use 'xkill' to escape from such nonsense.
I have seen a few users machines catch a variant of this malware from infected email attachments and also from .exe's downloaded via bittorent.
In the cases I saw, running the attachment or d/l file just installed the exploit and ran the xpantivirus2008 automatically, popped up the viruses found message.
It installed an executable in \windows\system32, and this thing would run at start up - not from registry run keys, or the start menu start folder nor as a service. I assume it patched some standard system exe to launch itself?
MacAfee detected it but could not remove it. Booted into safe mode, I could not remove it manually. There were open handles to the file.
It also would periodically pop up a system modal dialog with a test entry field and an alphanumeric code, and then demand the user type the code into the text box and click OK. This had enormous annoyance value.
Alas I cannot remember what MacAfee called it right now.
Or does thing also download other malware variants ??
Been seeing a lot of these coming through the workshop in the last week or so and by all accounts its an absolute pig to remove completely. The lads have said they need to use at least 3 tools to nuke it and other random crap that seems to be getting downloaded. One bloke claims he got infected via a spam email and had not been surfing at all that day.
Oh and well written article.
Thanks
Kev
Perhaps you might like to have another look at some of the dialogue boxes earlier in the sequence- they do actually include spelling errors, general syntax errors and elemental grammatical errors. For example:
Figure 2 (the initial warning): Crashes is misspelt "Creahes".
Figure 4: Strange syntax: "It is strongly recommended to remove *them* immediately".
Figure 5: Dont is missing its apostrophe
Figure 7: "By clicking Continue button you accepting our terms and conditions". I imagine they intended to say "you are" or "you're". An obvious grammatical error.
Figure 8 (the terms and conditions): Random use of capital letters, and multiple examples of words which would normally be combined together or hyphenated
Figure 10 (Support Forum): "If you have any questions regarding XP Antivirus for need any assistance......." Atrocious grammar
Figure 11: "Windows Security Center reports that "XP Antivirus" is inable." Strange- "inable"- what are they trying to say?
Figures 15 and 16: Repitition of "inable". Spelling error "unathorised"
Figure 17: "to get you system....." "troyans" (hmmm- think they were really getting sloppy at this stage)
In the interests of fairness- the AVG screenshot with its "Accessed file is unwanted" is atrocious English too. "Unwanted"- ehh? Poor file...... I had no idea files had feelings......
You'd never guess I worked in quality control on localisation duties for a while?
S.
This is not news to me. I have this attack vector sussed. I have been through all you described on a VM of my own. Did you by any chance RE the software that the user is prompted to download and discover what the malware actually does other than entice a user to provide card details to the scammers?
I am not smart enough yet to reverse the code that this malware installs and with clever obfuscation, debugger detection and encryption techniques often used to hide the purpose of such malware, I may never be smart enough to be do so. I am not brilliant, just smarter than the average bear.
To be honest, I sussed it was nasty as soon as I was prompted to download it, which I did and AV scanned, this produced a negative result, but I still knew it was bad and deleted it. I never tried to install or RE the code however. I will download again (if I can find it) and play with it in Olly and IDA tomorrow. btw the executable I was offered was AV2009Install_77011807.exe. I presume the same team are responsible.
i have been inundated with these things at the university where i work.
they come in thru bad blog spam, myspace bot spam, phishing emails, the works.
some of them pop up phony bluescreens, complete with fake restarts of windows, either via fullscreen animated GIFs, or by using a BSOD screen saver.
the only way i was able to spot one infection was that the "bluescreen" completed it's dump of physical memory and "restarted" windows. think about that for a minute. it's called the blue screen of death because it's the last action your computer takes before it locks up solid. there is no coming back.
someone has poured a lot of time and energy (and presumably money) into these scams.
these are not students playing a prank. this isn't some lonely guy in his mom's basement. these are real programmers at work, and they are probably backed by someone with money. this is not an automated attack that you can fix with automated tools. new versions are hitting every day, manually re-engineered to slide past anti-virus and anti-spyware tools. this is a human powered attack and it requires a human powered counter attack.
this isn't crime. this isn't a random act by an individual or a group. this is a coordinated attack by a growing group of motivated professionals. this is a war.
I encountered this scam last week at work when I had to remove some spyware from a lusers machine in another office (eventually we ended up scrapping the machine and replacing it).
I will definitely be recommending this article to both colleagues and friends ( I might even see if I can't get my boss to make some sort of notice for the company. Well written and helpful to both IT professionals and users. I hope we see more of this sort of writing.
"A reputable site will present you with product information and then leave the downloading decision up to you, not force it upon you."
Tried downloading the free version of AVG recently?
Nice article though I have been getting these 'warnings' for years. Whilst this one is a 'cunning plan' I suspect its probably overkill for the sort of person that thinks you can visit a website and it can really immediately detect malware. They are doomed anyway
I run both Lavasot AdAware and Webroot Spysweeper (which actually work GREAT running concurrently, and I even schedule them to scan nightly at the same time). I've also got Trend Micro running for AV security, and all my e-mail passes not only through g-mail's filters, but 2 others as well in a multiple forward process. Using an e-mail alias doesn't hurt, and I have not had a single spam in my personal account in 2 years.
I've always used Alt-F4 to kill windows, just a habit, but it avoids clicking. When I need to kill something, it's also typically easier to kill it from the task bar than the window itself. Also, using Opera, pop-ups are easy to avoid and windows designed to look like IE prompts are easy to spot.
This is an impressivley complex scam, and I'm sure they'll refine the spelling errors and other consistancies to make it more impressive. If I wasn't an IT admin, I might fall for this one myself.
I'm so paranoid using a PC that I NEVER click on a link, but always copy and paste the link into the browser. I've trained most of my family (including parents, cousins, and more, to do the same.)
On a Mac, I'd have none of these concerns. Any malware would likely not work at all. Any pop-ups targeting Windows this way would be VERY obvois indeed, and any malware i might inadvertantly download would not run.
I have removed this malware from too many machines in the last month or so, ranging from home PC of friends and family, to corporate machines, that have corporate AV installed on them.
I find that Malwarebytes Antimalware (malwarebytes.org) program removes the program with out any problems. You dont need to buy anything (unless you want continuous protection - but I run it once a week to keep an eye on things)
I hope that this will help others in the fight against the crap that is out there
I have come across this particular infection a lot over the last couple of months on various PC's, I have found that the easiest way to remove this is to use Malware Bytes Anti-Malware. Run a full scan using the free version, remove everything it finds and you should be good to go.
Another issue I've found is that some machines infected with this also have a secondary infection which turns your machine into a mass mailer spewing out thousands of spam emails (this may or may not be related to the first infection). So as well as doing the above, make sure the PC has up to date anti-virus software and run a full scan. I can confirm that Norton is able to successfully remove the secondary infection, whereas Malware Bytes Anti-Malware only removes the first.
A 2-week trial version of Norton Anti-Virus 2008 can be downloaded for free if necessary, a quick Google search should point you in the right direction for Symantec's Norton trial products.
Good luck.
I forget exactly what else this installed (I left the results in a text file on their screen), but...
Sysclean (with the additional spyware definitions) picked up 18 viruses / malware components - but failed to clean it up properly.
Spybot S&D then picked up a further 20 traces, and IIRC a couple more a day or two later once more updates were available - there were at least 14 different malware components, mainly of the credit card sniffing variety.
One thing that worried me was Blacklight initially showed three components which may have been rootkits - but by the same token, may have been legit subsystem drivers for audio / video (it was a Packard Bell Easynote). After a couple of days and a couple of scans / updates with Spybot S&D, I ran it again but it came up clear.
Thanks for linking to my forum in your article. I thought it was very well written and detailed.
Also something I see\do on a daily basis. Installing this junk and assiting others remove it.
Andrew Barr is correct that Malwarebyte Anti-Malware does a superb job in removal of these nasties.
I would also point out that Smitfraud Fix does the same thing, tho not targeted to as many other types of infections as MBAM.
And to update I have another thread where I post all the latest rogue sites and software I find from many other sources. The one you linked to is out of date as it was no longer viable for them to keep the database updated:
http://www.temerc.com/forums/viewtopic.php?f=26&t=5053
Thanks again for the mention!
That thing's only permitted for companies whose products pass Windows Logo testing, and pay a premium to Microsoft. Seeing that logo on one of the screen shots constitutes copyright violation. Not to mention misrepresentation or whatever the landshark-friendly phrase is for that.
Where's Microsoft's landshark team when you really need them?
I knew there was a reason I don't permit administrator access to any PCs...
By the way, seeing BigFix on one of the doubleclick.net ads at the bottom of this suggests Jesper is the pot calling the kettle black. Better review your ad contracts, El Reg.
I saw this on a friends PC recently too. It was obvious immediately from the name that it was dubious. Firstly it had 'XP' in the name which no legitimate company would do for fear of being sued by MS. Secondly there are only a handful of legitimate antivirus / antimalware tools available.
I second the above post, MBAM seemed to do a pretty good job of clearing this.
It is quite ironic that there are many more fake anti-malware/virus apps than there are legitimate ones. People have had it drummed into them for years that the need an antivirus and now they are more than happy to download and pay for this crap.
I have recently had to remove variants of this from several computers. The ones that I have seen do attempt to connect via internet to something. Unplug the CAT5 until you remove it. It is also resistant to most manual removal attemtps. I had to boot the recovery console from the Windoze CD to be able to delete all of it's parts. Some of it lives in the browser cache, Windows, and system32 folders in XP. Just sort folder contents by date, and they become obvious. I'm a bit sorry I didn't keep a sample to feed to my dis-assembler. Perhaps it can be hacked to feed bad data back to these crooks.
...And you guys with the MACS... Stop snickering!! They will be aiming at you next.
Tux... Because he's mostly immune (for now)
"Obviously the criminals are well aware that users are incredibly desensitized to warnings and the more warnings they get, the less they pay attention to them."
Better ramp up the frequency of those warnings in Windows 7. It has to be even more secure than Vista after all.
Those boys have at least one other bit of malware, Antivirus Vista 2008.
And they'll try to install their stuff on anything that gets in range. I've had two attempts to install their malware on my Macs, running Safari. Naturally I just laughed when a WinXP box popped up and declared that I had been infected by what were clearly Windows viruses... I clicked 'close', and the thing tried to download anyway. As it was an .exe file, it couldn't actually do anything on my Mac, but if I'd been using a WinBox I'd have been in trouble.
www.bleepingcomputer.com/malware-removal/remove-antivirus-xp-2008 is one of many sites which gives tutorials (in this case, wrapped with a plug for their own stuff) on how to remove that pig. The list of executables and registry keys which need to be removed is quite sobering.
Michael C - "On a Mac, I'd have none of these concerns. Any malware would likely not work at all. Any pop-ups targeting Windows this way would be VERY obvois indeed, and any malware i might inadvertantly download would not run."
madra - "it's one of those articles were us mac & linux users can have a good belly laugh at you sad windoze drones and your pestilent OS - we havenae had one for a while!"
What I find interesting about this particular form of malware is that the methods they are employing don't necessarily rely on any particular flaws in Windows' code. They are employing flaws in the computer literacy of Windows' users. It seems that the payload they are trying to deliver is a constant harassment of the user to pay for some software via a dodgy website with their credit card. If 95% of computer users were using Ubuntu, I could still see this same scam working.
The Javascript, the animated .gifs, the duplicated system dialogs, and the software installation could all be accomplished on Linux (especially Ubuntu) or Mac simply by giving the mark some helpful instructions to enter their password in the next dialog box that pops up. The scam isn't attacking the system's security - it's getting the user to do all the work. Since Ubuntu helpfully doesn't use a root password, the user just enters his/her own limited user password to also perform system-wide installations and configuration changes.
All that said, this article hammered home some thoughts I've had recently. All the talk about "is Linux ready for the desktop?" or "what Linux needs to do to become the dominant OS" starts with the assumption that that would be good for the existing users of Linux. I think I've decided that I'm happy with all the idiots staying on Windows. There's the old saying that Linux is only secure because it's not popular, and no one writes malware for it. I've never agreed with that - Linux (and OS X) are more secure than Windows by design. But there's another saying that system security is only as good as the hardware's physical security. When the user sitting in front of the box is the box's worst enemy, it doesn't matter what OS it's running.
Yes, the hardware support and compatibility would be great if 95% of the world ran Linux. But all the Russian gangsters would then start writing this kind of crap for it and I'd still be cleaning it off of my family's machines - hopefully before they'd given their credit card details to a website in Botswana. The social engineering aspects would be harder to pull off than your typical ActiveX exploit, but they'd still have enough success to make it worth their effort.
While I do not want to bash TrendMicro's HouseScan - it is still not possible to have your PC scanned for malware just by visiting a website. You still need to actively install some piece of software, be it ActiveX, a Java applet or whatever.
Just considering what it means to scan your machine for malware (namely reading every single file to do a heuristic comparison against known patterns), I would rather think that's quite a good thing (even if it won't work against dangerous semi-knowledge as exposed by most users...).
If that is not needed anymore nowadays, then Windows(tm) is worse than I thought...
(that you have to be running Windwoes), you have to be running Internet Exploder, allow popups, and allow scripts in order for this to work. Committing each of those three (four if you prefer) idiocies concurrently is akin to dropping your pants in the middle of Main Street, bending over and shouting TAKE ME - I'M YOURS - It hardly leaves you in a position to complain about a sore anus.
Paris - because she knows what happens when you drop your pants.
i too have had to clean this, the worst was in the computer belonging to the father of one of my neighbours. He'd left it on his system for 3 MONTHS. It had downloaded other trojans. Finally it got to the point where his computer was running XP slower than a P2-333 with 128Mb ram. It was also giving porn popups constantly, and 1-pixel IE windows.
After 4 days of trying to remove this crap(and i did remove over 1,500 trojan and virii and adware files, I just said, 'enough' Pulled all the documents off onto a memstick, and wiped the hard drive. The computer also finally got it's first taste of XP with a service pack (yes, it was XP without SP1 let alone 2, although it was bought after 2 came out - lazy HP)
The only time i've seen a system that infected before, was one belonging to a friend, one that had been used by her 15yo step-daughter (who had opened every spam email, every exe, gone for every trojan she cuold, on pupose). That is how bad this spyware gets.
Not by anything said in this article, but when you stop and think about it, what kind of cockamamie system is it that would make this rather elaborate scam seem real, pray tell?
I can hardly begin to guess the conceptual flaws in the design of Windows that would need correction to put a stop to this kind of thing. Perhaps instead of having OS and applications on writable disks they should be on read-only media? Perhaps the computer itself should NEVER undertake any task on its own, demanding explicit user instruction to start anything at all. (And, yes, that might mean, inter alia, start network connection, start font rasterizer, etc.) Perhaps the fundamental issue is that desktop OSes and applications have been designed with an implicit assumption that the world is a nice place, instead of always asking "how can someone misuse or subvert this or that feature?" Perhaps the adoption of an architecture that allows—nay panders to—applications to hook themselves deeply into the guts is wrong. (IOW, what kind of system even allows rootkits? Why does Windows still use the old hamburger or mixmaster way down in its guts to allow deep hooking?) I really don't know.
There's something very very wrong somewhere. The entire desktop computer industry took a wrong turn somewhere, a long time ago.
PS # 1: And before the Mac & Linux fanboys start chortling, let me assert that those systems are just as prone to this kind of scam as Windows is.
PS # 2: Actually, I had one of these pop up on my bareback-except-for-hardware-firewall Win98 box a year or so ago. I almost fell for it but suddenly realized "why is a dialog box on a very plain vanilla Win98 machine displayed using XP chrome?"
...as there is no way for a standard user to differentiate between legitimate operational messages coming from the system and spoofed ones coming from some low-life application. Nor is there a way for a user to know whether the "OK" for some system operation he just gave will actually be sent to the system or to said low-life application instead.
Microsoft could have forced the industry to take the approach of a "Windows" key that really, on the hardware level and in visually clear style, "opened up" the innards for repair and maintenance. Instead ... we have a Windows key that opens up a Start Menu .... oh and hardware-mandated copy protection .... and see-through window borders or some equally retarded shite (btw. KDE4, I'm also looking at you)
Firstly, nice article, and thanks for sharing your obvious hard work with the rest of us.
I took the time to read the text on the screendumps you showed, and right from the start the hairs were standing up on the back of my neck : malware. The text read like the poor english manuals for the electrical goods you bought from tandy 15-20 years ago. The graphics were quite convincing. If they get the english right ...
I've been caught myself way back when I was using w98 and did not understand computer security. So I trashed the machine and lost some of my data (not recently backed up) to clean it up, and be sure. I think it fair to say 'gee thanks bill' for the crap that entailed, but the fact remains that it *could* happen on any system.
Now I use my Penguin friend for all online stuff, as I don't trust bills crap. This is not smugness, just bitter experience.
Regardless of the operating system you use, and the security software you use, there *ARE* weaknesses in your system, and they *WILL* be found. Security software may not be current to the threat and will not necessarily protect. Using the admin account on your machine when online is idiotic as any crapware gets admin privileges, so don't do it.
Therefore *PLEASE* think about what you are doing, where you surf, and don't bloody use an admin account while doing it !
No legitimate coder leaves bugs in code at time of release. How many have looked back at their code of say 6 months ago and thought on occasion WTF was I doing when I wrote that ? Bugs slip through sometimes by hiding in plain sight. The only way to address this is to install the updates and thank all involved in finding the issue and resolving it.
Paris cos you're bound to get 'infected' while surfing for/on paris ...
"A 2-week trial version of Norton Anti-Virus 2008 can be downloaded for free if necessary"
BWAHAHAHA.... don't know which would be worse to be infested with. At least XPAntivirus wouldn't be quite the memory hog or system crasher that Norton is.
I don't think even Paris would fall for that.
First, thank you for the diligent research and interesting presentation. I have been laughing about that popup for months, since I run UBUNTU (Ultimate Edition of course) on my laptop exclusively now (forced into this because vista and linux are the only to OSs that will see a sata hd with phoenix bios, and vista is not an option).
These popups keep showing up since the JS does not check the operating system. It is very nice to be on Linux where I am happy able to ignore them. That being said I was also very interested to read the article.
Next, may I recommend eeye by blink for those running M$ Windoze (anything besides Vista...not out yet). It is great! I have pointed many of my friends to it, and they are all very pleased. I have not checked this malware against it, but I would expect it to rank as high if not better then any of the other major products (and is cheaper too)
I had one hell of a time removing this from my PC the very first time I discovered it lurking around. Fortunately, I was a bit more clued up back then than your average new PC owner so I had a working knowledge on how to deal with it.
Just to throw my 2 cents in, SuperAntiSpyware dealt with this and any possible re-infections lurking around on the PC first time around. It worked for me where others like AVG and Spybot have failed in the past.
I came across the same kind of stuff a lot recently, only the pop-ups were triggered by banner ads. I did a bit of analysis (not as extented as yours), and it finally didn't bother me at all as, well, I know better than running Windows, and it didn't seem to be a botnet stuff (not even ransomware) so as far as I'm involved (both as user and sysadmin) it fits nicely in the "not gonna cause me any harm nor extra work" category. If anything, it will drive people towards less shitty behaviours and/or OSes. Heck, I might even send these pirates money myself, they're essentially doing MY "teaching" work in my place, using efficient techniques that would get me fired. I did send a few emails though, to the (legitimate) sites which were serving the malicious ads, including details on files, incriminated servers and all the relevant stuff, but they apparently couldn't be arsed. Too bad for their most clueless clients. I don't really mind. Serves them Win lusers right. ;-)
What bothers me slightly more is that a luser in my working place installed the same kind of stuff on a shared computer (NOTE: I wasn't the one giving them admin privilege), and it seemed to trick that hopeless piece of shite that Norton is into downloading its database from a malicious server. I was in a hurry whttp://www.theregister.co.uk/2008/08/22/anatomy_of_a_hack/comments/hen fixing that, so I didn'nt do any analysis and boldly suppressed every possible piece of evidence in the cowboy-like Norton-removing process. Dumb me.
Recently had a PC brought to me that'd been running Win2k and IE6. In addition to this fake scanner, it or additional malware had done such lovely things as disable control panel, disable Task Manager, hook something into Explorer and hide all drive letters in My Computer.
Probably more I didn't notice, at that point my only concern was yanking the drive out to get a few of the client's files off on another system then wiping the drive to put a new image on it.