Tag Archives: sabotch

Fakealerts: Building a Better Mousetrap

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

In general, the use of fakealerts – those bogus warnings that look like your PC has started some sort of antivirus scan on its own, then predict imminent doom if you don’t buy some snake oil product right this minute — is on the rise. Fakealerts constitute a particularly effective social engineering trick, earning the makers of bogus, ineffective “antivirus” programs millions of dollars (and the scorn of victims) in the process. So it should come as no surprise that the fakealerts themselves have gone through some technological advances in the past year.

In the past few months, the fakealert-makers have slowly been migrating their techniques to a new platform: The browser. As recently as six months ago, the majority of fakealerts we saw were generated by small Trojan Horse applications running on a victim’s PC. Today, most fakealerts we see simply reshape the browser to mimic the appearance of a generic antivirus application.

It makes good economic sense for the creators of fakealerts to do this. The Windows application fakealerts only run on Windows (obviously). Like all Windows software, fakealert apps subject to being blocked by both the operating system (which, like the fakealerts themselves, prompts users with warnings in dialog boxes), by real-time detection mechanisms in legitimate antivirus software, and/or by savvy users themselves.

One typical load-sequence for the components of a scripted fakealert

Using a scripting technology such as Javascript to reproduce the “fakealert experience” is a natural extension of the success of fraudulent, rogue antivirus products. After all, a fakealert is no more than an elaborate performance for the targeted victim — the goal of the fakealert is simply to convince the victim to download and run a file, typically a rogue antivirus product. Javascript can run in virtually every browser and operating system (save for special cases, like the Firefox browser with the NoScript Add-On installed).

Scripts such as these bypass most traditional malware protection because, in essence, there is no malware installed until the victim installs it his- or herself. Unlike a static binary executable, the contents of a script can be tweaked, on the fly, to maximize effectiveness (or just to change the name of the fraudulent product). And the scripts themselves which make up the Web fakealert experience are highly obfuscated, which makes them more challenging for automated systems to block.

In the course of researching a new malware sample unrelated to fakealerts — an installer of Trojan-Downloader-Dermo on a page purportedly offering an update to Windows Media Player — I observed one common fakealert script as it ran soon after the testbed PC was infected. I was able to reconstruct its modus operandi.

Continue reading

Our Cup Runneth Over with Farrah Fawcett Files and Michael Jackson Malware

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

fawcett1

With the sad news circulating the globe that 70s sex symbol, TV pitchwoman, and former Charlie’s Angel Farrah Fawcett passed away this morning, it didn’t take long for the malware vultures to execute their attack.

Beginning in the afternoon, our Proactive Research team began finding tons of pages that purportedly offered a Farrah Fawcett poster or photo for download. What you got, when you clicked the link that looks suspiciously like a video player (not a static image), was — you guessed it. A load of junk.

Interestingly, hovering the mouse over the video link causes the browser to display a “preview image” that looks awfully like Google’s front door. But clicking the link to the video brings you to yet another page with something that looks like a video player, and only when you click that link do you end up with an executable on your desktop.

fawcett2Few antivirus companies have the malware in their definitions. We’re identifying the files pulled down by the Fawcett installer as Trojan-Cognac (they leave, shall we say, a distinctive aftertaste), as well as Trojan-Zoeken and Adware-Sabotch. Zoeken is a nasty downloader, which brings down all kinds of badness on an infected system, and Sabotch tends to tout those wonderful rogue antivirus products we all love so much.

So far, the Fawcett-related malware is all coming from fake pages set up on blog site Vox.com. Until they clean up this mess (which I imagine will be fairly time consuming, as new ones keep popping up), don’t follow any search links headed in their direction.

And this afternoon, as rumors began to circulate that Michael Jackson was ill in hospital, the jackals pounced on that bit of news. More on that in the next post.