Malware City/Blog/

Jun
25
Filed Under:
MISCELLANEOUS

ROGUE SECURITY - BACK TO THE FUTURE

25 June 2008
Let's leave history behind for a while and focus on todays threats. We are going to find that the methods of spreading haven't changed much since 2005.
Fake ActiveX warnings are still used, Trojans are still spreading the trial versions, and browser exploits are still used to deploy e-threats. We'll take a closer look at some of these cases and add some new ones to the list as we go.
 
Trojan spreading
 
In order to fully understand the way rogue software gets on users' computers, let's look at the way Trojans are spreading. We will take one that's still “in the wild” (meaning actively infecting computers at the time of writing.
Trojan.Zlob is the name of the culprit. It's an e-threat that's downloading software onto the infected computer without the users' knowledge. “Ok, that's all pretty nasty” you say, “but how do I get infected with this Trojan in the first place?” Right, well the easiest way to get yourself a Trojan.downloader is by visiting a website (most of the time adult rated ones) which will infect you in two ways: 
1. by usage of a browser specific exploit that grants the attacker the privilege to download and run applications without the user noticing a thing
2. by social engineering:
a) pretending to be incapacitated of playing back video clips because of the users lack of necessary software and offering an “ActiveX Object” (or some sort of “codec”) as the solution (Img 3.0 – notice the YouTube like environment used to fool users and make them more comfortable with the page). If you trust the fake website and download the “ActiveX Object”, whose true nature is the Trojan in fact, you're there already.
 
Img3.0: Zlob fake ActiveX warning

b) pretending to remotely scan your computer of infections through a web environment. Do not believe those fake websites. They are all scams meant to trick users into downloading “cleaning software”. Although they might look like legitimate applications, they're not. Web scanner development is a laborious undertaking. Very few legitimate security software producers have built such applications. No website is able to scan your computer without asking you to install specific modules beforehand (ActiveX or Java). Scanners that simply start “scanning” and “detecting” e-threats on your computer upon page load are clearly fake ones. You can see an example of such a web page in Img 3.1. After “scanning” is completed a window pops up telling you about the infections on your computer and how you should download their software in order to get rid of them (see Img 3.2).
 
Img3.1: "Antivirus 2008" doing it's "rightful" job
 
Results window after
Img3.2: Results window after "scanning" has finished
 
The changing nature of Trojan.Zlob makes it a real challenge for legitimate antivirus producers to keep the pace, however in most cases you can rely on your protection software. If you don't have any antivirus applications installed your computer will get infected and you will not even notice.

Aggressive advertisements
After Trojan.Zlob is running on your PC, it will start alerting you of fake infections, the earlier explained false positives. This either happens with the use of taskbar notification windows (see Img1.0),by redirecting users to fake websites that claim to remotely scan and detect viruses on your computer or with drive-by installations of trial rogue software (background installations that proceed without any user interaction, consent and knowledge) launched by the Trojan.
 
False-warning
Img1.0: False warnings in taskbar notification window
 
Another recent evolution on this field is Torjan.Fakealert.PP. Ranked on place 3 on the US top10 and place 8 on a worldwide scale Fakealert.PP creates even more desperation on the user front. It spreads in a similar way like Zlob. It's using a website to warn users of nonexistent infections on their PCs' and it asks them to download an application (“XP Antivirus”) that is supposedly clean “Please select "RUN" or "OPEN" when prompted to start the installation. This file has been digitally signed and independently certified as 100% free of viruses, adware and spyware.” After the scan, it's asking the victims to pay for the full version of the software in order to clean their computers. A sample screenshot of the application is provided at Img 3.4.
 
XP Antivirus mischievous threats detection
Img3.4: XP Antivirus mischievous threats detection

RELATED INFO:
ROGUE SECURITY SOFTWARE FROM A TO Z
ROGUE SECURITY SOFTWARE

Article rating:

  • Share our story:
  • Share on Twitter

Related

23-06-2008 | Vulnerable Coffe Maker Software Found

17-06-2008 | ROGUE SECURITY SOFTWARE

10-06-2008 | ROGUE SECURITY SOFTWARE FROM A TO Z

04-06-2008 | DEBIAN

Comment on this

Name:

Email:

Website:

Your email adress will not be published.