Category Archives: Rogue Security Products

Software which attempts to convince a victim to pay for it through deceptive displays of information and technical trickery, most often by masquerading as antivirus or some other form of security software.

Karagany Isn’t a Doctor, but Plays One on Your PC

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

A Trojan that pulls a sly performance of now-you-see-me-now-you-don’t disguises itself on an infected system as the Adobe Updater, a real program that’s installed alongside such mainstay applications as the Adobe Reader. This method of hiding in plain sight means the downloader, Trojan-Downloader-Karagany, may remain active on an infected system for an extended period of time, reinfecting PCs even after the more obvious payloads have been cleared up.

During the initial infection, subtlety is this Karagany’s strong suit. When executed, it pulls an act I find slightly more interesting than the conventional file copies itself from one place to another, then deletes the original behavior that is so common among contemporary malware.

In this case, the malware app (which uses an Adobe icon) does copy itself to another location — the \Application Data\Adobe folder under the currently logged-in user’s account, using the filename AdobeUpdater.exe — but leaves behind a benign program afterward, in exactly the same place as the original, and with the same filename as the original. Watch this video to see just how slick this shell game can be.

The Trojan makes a duplicate of a legitimate Windows app (the Microsoft HTML Application Host, or MSHTA.exe), naming the copy with the same filename the Trojan used at the time it was executed, and replaces itself with the renamed MSHTA.exe in precisely the same location. The effect is low-key — the program simply seems to lose its icon.

Continue reading

Rogue AV Spam Invades Multiply, Yahoo Mail

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

While nowhere near the size of the mammoth Facebook, the social network Multiply is no slouch. Based in Boca Raton, Florida, the site is designed around not only sharing photos and videos with friends and family, but also a relatively novel concept called social shopping, which permits users of the site to shop together in a virtual marketplace, or even set up an Internet storefront. At last count, according to Multiply’s blog, the site has over 12 million users, which means that the Multiply Market may be one of the largest single shopping Web sites in Southeast Asia, where most of its users live.

I would never have even known about Multiply (it’s one of nearly 200 active social network sites listed on Wikipedia) if it weren’t for one of our Threat Research analysts, Rhoda Aronce, who hails from the Philippines and uses Multiply to keep in touch with family. She received an odd-looking message that appeared to come from Multiply on her Yahoo mail account yesterday, and it set off alarm bells. Good thing, too, because it looks like a spam campaign targeting Multiply users is trying to infect those users’ computers with a rogue AV that calls itself Antivirus Solution 2010 Next.

The initial spam message uses familiar social engineering tropes: It’s a message that looks like it was sent via Multiply’s servers to Rhoda’s Yahoo mail account. The message body reads

heyy! (username), do we know from some place isn’t it? so here’s a special video i did for you, ull recall me!, pls holler me back!!!, kisses <3

The message is dominated with a photo of what looks like a streaming video window that says Click here to see movie. That’s where the fun begins for researchers, but please, don’t click this at home, especially if you’re in the middle of shopping online. Leave getting infected to the professionals. If you see something like this in your email inbox, just delete the message.

Continue reading

Five Reasons You Should Always “Stop. Think. Connect.”

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

Today’s the official kickoff for National Cyber Security Awareness Month, and the organizations supporting the event, including the National Cyber Security Alliance, the Anti-Phishing Working Group, and dozens of corporate citizens including Webroot, want you to protect your computer and your personal information. So they’ve come up with a three word campaign slogan they hope will become conventional wisdom for every Internet user: Stop. Think. Connect. Think of it as the 21st century equivalent of looking both ways before crossing the street.

In my case, they’re preaching to the choir. For years, I’ve advocated that people treat everything they see online critically, and to scrutinize information before acting on it. That’s because the army of criminals who commit fraud and theft over the Internet on a daily basis rely on you to not stop, not think, and to click links or open files immediately, without regard to the consequences of your actions. That’s how most people infect themselves. If you stop and think before you connect, you can prevent most of these infections yourself, simply by exercising a little restraint.

It’s hard to think of a major cybercrime outbreak over the past year that hasn’t relied, to some extent, on the naivete of its targets. Security professionals call these tricks “social engineering,” but that’s just a geeky term for criminal skullduggery that’s as common offline as online. The ruse almost always tries to invoke an adrenaline-fueled need for an immediate response — usually out of fear, greed, or panic — on the part of a victim. The victim ends up in a mental state where they are likely to make rash, impulsive decisions. And they do.

Putting the brakes on social engineering tricks usually takes all the steam out of them. To that end, I’d like to show you examples of five of the most common cyberscams that lead to the loss of personal information or sensitive data. Hopefully, if you know what to expect, you’ll simply walk away from the encounters unscathed.

Continue reading

Newsflash: HTML Spammers are Not So Bright

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

It’s been more than a week that we at Webroot, and countless others, have been getting floods of bogus messages with HTML attachments. I thought I’d give the curious readers of this blog a quick glance at one of the drive-by sites that load in the browser if you try to open the file.

As I’d mentioned previously, the HTML files themselves simply contain highly obfuscated Javascript (code that’s hard for humans to read but easy for machines to interpret). When you try to load those malicious scripts into a browser, the script instructs the browser to load a page from another Web site. In fact, the file I saw today goes to server 1, which bounces the browser to server 2, and then a script on server 2 loads more files from servers 3 & 4 in a full-screen iFrame.

In the end, what I saw looked like an update to what has become the “classic” Javascript fakealert. Unfortunately for the malware distributors, this so-called update is laughably obvious. These are clearly not the sharpest tacks in the box.

It all starts with a warning popup which reads:

There is a big chance that your computer is infected! They can cause data loss and file  damages and need to be fixed as soon as possible. Return to Microsoft Security Assessment Tool and download it to   guard your PC.

Wow, really? How big is the chance? Is this more like a scratch-off lottery ticket level of chance, or is it closer to a look under the bottle cap to see if you win chance? What they don’t tell you is that your chance of becoming infected with an annoying rogue increases to about 100% if you continue down this well-worn path. Continue reading

New Rogue Is Actually Five Rogues in One

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

For years, the makers of those snake oil security programs we call Rogue Security Products have spent considerable effort making up new names, developing unique graphic design standards, and inventing backstories for their utterly useless, expensive scam products. Now a new rogue has taken this never ending shell game one step further, releasing a single program that calls itself one of five different names, depending on what button an unfortunate victim clicks in a highly deceptive dialog box. Let’s call it what it really is, though: A malicious play in five acts.

The rogue’s delivery method, or Act 1 in this melodrama, is no different from the many we’ve seen in the past 18 months which use a Javascript-enhanced Web page to convince viewers they’re watching a live malware scan on their computer. This trick is so hackneyed, it’s become the cybercrime equivalent of the dastardly villain in a silent movie tying the hapless woman to a railroad track, then twisting the ends of his mustache for dramatic effect. Does anyone still fall for this?

Only, this time the fakealert delivers a different payload: When the victim runs the rogue executable (named simply setup.exe), Act 2 begins. The rogue displays a dialog box that looks like an alert message issued by Microsoft Security Essentials, cautioning the victim that a legitimate Windows component present on most or all installations of Windows, such as iexplore.exe or cmd.exe, is actually a piece of malware.

The rogue helpfully offers to perform some sort of online scan, and that’s where it gets weird. The rogue pretends to scan the hard drive with 32 different antivirus engines, a-la VirusTotal. The vast majority of them are well known, at least in the security community. But five are new, and it’s those five that merit closer inspection.

Continue reading

Fake Flash Update Needs Flash to Work

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

If you live in the US, you may have played sports, barbequed, or enjoyed the last long weekend of the summer outside doing something fun outdoors. Unfortunately, that wasn’t an option here in Boulder, where a large wildfire generated a thick plume of smoke and ash. So, what’s a malware analyst to do indoors on a beautiful day with toxic smoke outside? Why, spend some quality time with Koobface, of course.

I took a closer look at the worm’s behavior and also noted that, since the Migdal keylogger site went dark for the Koobface crew, they’ve switched to using a new domain as the dead drop for credentials stolen by the Koobface password stealer payload: m24.in, the Web site of some sort of media company based in India. The behavior I saw by the keylogger was virtually identical to that used by the Migdal variant, reported in a previous post. The payload is even named m24.in.exe, just like the Migdal payload was named after the domain where it posted stolen passwords.

It’s been a while since the worm changed its primary method of infection: For nearly its entire existence, Koobface has spread by manipulating the social network accounts of infected users so it appears the user posted a link to a video. Of course, the worm does the posting in the name of the user, and the link points to a page which purports to be some sort of streaming video, but actually pushes the malware on anyone who visits.

And, in order to take on the appearance of a real online video, it uses Flash.

Continue reading

Pro-Israel Website Receives Passwords Stolen by Koobface

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

Is the team behind the Koobface worm taking a stance on the Israeli-Palestinian peace talks, or is this notorious worm’s most recent, bizarre twist just a coincidence?

We’ve seen Koobface hijack legitimate Web sites for more than a year, using them not only to host malicious payload files, but also to work as proxy command-and-control servers for the botnet. One such hijacked Web domain, migdal.org.il, popped up in a number of blog posts and on Web sites which list the domains used to host malware, as far back as this past May, when the Koobface crew began using a slew of new hijacked servers as distribution points for its malicious files.

And since the summer, Koobface has been delivering a password stealing Trojan among the several payloads it brings down to an infected computer. That Trojan’s name is migdal.org.il.exe, and the stolen passwords it scrapes from infected computers are sent right back to the migdal.org.il Web server, which is physically located at an ISP in the UK.

Migdal also seems to be (if you can believe the content posted to the Web site) a French jewish organization that provides aid and resources to Israeli children and border guards, and whose leadership opposes many of the Israeli concessions that Palestinian negotiators have requested during the long peace process. Have the Koobface gang gone political, or are they just capitalizing on a convenient situation with an abandoned Web site?

(Update: The site went down on September 3rd, the day after this post went live. Thanks, helpful ISP who shall remain nameless.)

Continue reading

Subscription Renewal Spam Points to Drive-by

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

Dear Customers: Please be aware that a crew of Russian malware distributors are circulating a spam message which looks like a subscription renewal confirmation from Best Buy, allegedly for one of our products.

The linked text in the message, however, leads to a Web site which performs a drive-by download. Please don’t click the links in the message; If you have any questions about your subscription, please contact support.

The spammers appear to have done some homework. Some, but not enough. Best Buy currently sells our products through their online software subscription service. Note to spammers: If you’re going to try to hijack our trademark, the least you could do is get the name right. Best Buy doesn’t sell anything called Webroot Spysweeper with Antivirus Product. Nor do we.

The email message claims it is a notice that your subscription has been renewed, and includes a serial number (which doesn’t work) and a transaction date of July 17.

The link in the message leads to the Web site of a small bed and breakfast in New Zealand, which has been compromised. We’ve informed the owners of that Web site of the spam campaign and asked them to take down the page referenced in the spam message.

I guess we struck a nerve, hurt some sensitive malware author’s pwetty widdle feewings, and ended up a target for attack, one that falls down. Too bad, so sad.

Continue reading

Blackhat SEO of Google Images Links to Rogue AV

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

Yesterday, a few of the Threat Research folks and I had a little fun playing with a hack that had, for one day at least, pretty much decimated Google’s Image Search feature. One researcher, who stumbled into the attack purely by chance, found that a Google Images link to a map of the United States was, instead, redirecting hapless Web surfers to pages that deliver an installer of a rogue antivirus in the Security Tool family of fine, fraudulent products.

What really caught our interest was how the hack behaved, depending on the operating system and browser you used. With each different browser configuration, we were treated to one of several different, specially crafted malware delivery Web pages.

I’m not sure when the attack started, but we started analyzing it at around 10am, Mountain time. By late afternoon, the sites were offline and the attack no longer worked.

To test the extent of the hack, we played around with the manipulated search results using five different browsers: Internet Explorer 6 and 8, Safari 5, Google Chrome, and Firefox. All the browsers were set up with default settings in an otherwise identical installation of Windows XP SP3. We then searched for USA Map and clicked the second result that appeared under the header “Images for usa map.” (All but the first image result that appeared on that first page of results linked to the malicious Web site.)
Continue reading

More World Cup Shenanigans: “Anti-Vuvuzela Filter”

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

Someone called my attention today to a Web site selling something called an Anti-Vuvuzela Filter that costs €2.95 to download. Only, it’s a complete fraud.

For the twelve other people in the world who haven’t been watching the World Cup matches in South Africa, the Vuvuzela is a South African horn that makes an obnoxious buzzing sound when played.

The noise is said to be so irritating that fans have been watching the matches on television with the sound muted so they don’t have to hear the incessant wasp-like drone of Vuvuzela-toting fans inside the stadium.

If you haven’t experienced the full effect of the vuvuzela, consider yourself lucky. But if you’re wondering what all the fuss is about, you can make your best effort to read this blog in World Cup 2010 style. Just turn down your computer speakers or headphone volume first.

The site claims to be able to “get rid of the Vuvuzela noise through active noise cancellation” but all you get for your money is, apparently, a 45 minute long .mp3 file.

Seriously. Call it a Rogue AV (anti-vuvuzela) of a variety we haven’t seen before.

I should hope that the readers of this blog would be aware that whatever these goofballs are selling, it ain’t anything remotely similar to the active noise cancellation it is being touted to be. In fact, others have come up with a passable, working solution using equalizers and bandpass audio filters. There’s even a free, automatic filtering application you can download. It seems like this audio file would sound a lot more like a 45 minute recording of snake oil slithering. Or the sound of 3 Euros sneaking out of your pocket. Don’t be a sucker: Just reduce the volume on your TV if the vuvuzelas get you down.