Making the most of fear and deception – rogue v ransomware (part 1)
Fear can be a great motivator for getting someone to act on the receipt of a message (think public health messages regarding smoking, or wearing sunscreen). Add some deception in there, and you have a powerful tool of illegitimate influence that can be used to get people to act in ways that are not in their best interest. Unsurprisingly, the same folks that bring you malware are the same folks that have no problem at all using illegitimate and deceptive fear appeals to get you to do something that they want that might not be so great for you. This post contrasts two types of malware that rely on fear, deception and technology in order to accomplish their ultimate goal. One type is increasing in prevalence, and another is on the way down (but certainly not out).
Another great article from Brian Krebs.
Fake Antivirus Industry Down, But Not Out
Many fake antivirus businesses that paid hackers to foist junk security software on PC users have closed up shop in recent weeks. The wave of closures comes amid heightened scrutiny by the industry from security experts and a host of international law enforcement officials. But it’s probably too soon to break out the bubbly: The inordinate profits that drive fake AV peddlers guarantee the market will soon rebound.
Thousands of Twitter users are finding that their accounts have been tweeting out malicious links without their permission, pointing to a fake anti-virus attack.
If you make the mistake of clicking on one of the malicious goo.gl links you are ultimately taken to a website which attempts to scare you into believing that you have a virus problem on your computer. You are then frightened into installing malicious code on your PC, and asked to pay money to disinfect your systems.
Malware that has already passed through various iterations.
Microsoft Malware Protection Center.
Initially it was “System Defragmenter”, then “Scan Disk” and now it’s called “Check Disk”. While the name will most certainly change again, the main goal of Trojan:Win32/FakeSysdef will surely remain the same: to trick you into buying a piece of software that does nothing except scare you with fake warnings, critical “errors” and other “problems”.
As the name suggests, this malware imitates a hard disk defragmenter. It will pretend to scan your computer for problems such as: it “checks” if your hard disk is working correctly, “defragments” it, and even checks the health status of your RAM and GPU (Graphic Processor Unit). Of course, once you start checking for problems using this ‘program’ it is going to “find” a bucketful of them:
* Bad sectors
* RAM fragmentation
* Registry errors
* Very high CPU/GPU temperature
* RAM failures
Story and screenshots:
Rogue security products use false advertising, drop malware and often have a similar name or appearance to legitimate security software.
Scareware has already mimicked the Windows Security Center. This one mimics Microsoft Security Essentials and calls itself â€œSecurity Essentials 2010â€.
Microsoft Malware Protection Center.
As we in the MMPC have always been quick to point out, Microsoft Security Essentials can be downloaded and used without charge by users running genuine Windows (from here: http://www.microsoft.com/security_essentials/). So anything mimicking Microsoft Security Essentials but asking for any sort of payment is clearly Up To No Good.
Screen-shots and more information at the MMPC Threat Research & Response Blog.
Microsoft detects the imposter as Trojan:Win32/Fakeinit. Encyclopedia here
Rogue security programs usually pop up a screen informing users that their PC is infected with malware. The user, understandably alarmed by the nonstop pop-ups which suddenly appear on their frozen screen, will often click to make a purchase and download the “fake” software which claims it will remove the infection. In a nutshell that “is” the infection and a lucrative business for criminals.
According to researchers at Symantec the authors of Live PC Care have taken things to the next level. The free trial version of Live PC Care includes a yellow online support button. Clicking on that button connects the potential victim with so-called â€œsupport agentsâ€ who will answer questions about the product via instant message.
Fake AV & Talking With The Enemy
Sunbelt Blog: New rogue borrows massively from AV company sites
Although the group claims 10 million users world-wide, oddly enough their site was only registered Nov. 25.
It seems they also have recruited the entire management team from AVG anti-virus company as well. Right!
Press Release December 11, 2009.
The FBI warned consumers today about an ongoing threat involving pop-up security messages that appear while they are on the Internet. The messages may contain a virus that could harm your computer, cause costly repairs or, even worse, lead to identity theft. The messages contain scareware, fake or rogue anti-virus software that looks authentic.
The message may display what appears to be a real-time, anti-virus scan of your hard drive. The scareware will show a list of reputable software icons; however, you canâ€™t click a link to go to the real site to review or see recommendations. Cyber criminals use botnetsâ€”collections of compromised computersâ€”to push the software, and advertisements on websites deliver it. This is known as malicious advertising or â€œmalvertising.â€
Once the pop-up warning appears, it canâ€™t be easily closed by clicking the â€œcloseâ€ or â€œXâ€ buttons. If you click the pop-up to purchase the software, a form to collect payment information for the bogus product launches. In some instances, the scareware can install malicious code onto your computer, whether you click the warning or not. This is more likely to happen if your computer has an account that has rights to install software.
Downloading the software could result in viruses, malicious software called Trojans, and/or keyloggersâ€”hardware that records passwords and sensitive dataâ€”being installed on your computer. Malicious software can cause costly damages for individual users and financial institutions. The FBI estimates scareware has cost victims more than $150 million.
Cyber criminals use easy-to-remember names and associate them with known applications. Beware of pop-up warnings that are a variation of recognized security software. You should research the exact name of the software being offered. Take precautions to ensure operating systems are updated and security software is current. If you receive these anti-virus pop-ups, close the browser or shut down your computer system. You should run a full anti-virus scan whenever the computer is turned back on.
If you have experienced the anti-virus pop-ups or a similar scam, notify the Internet Crime Complaint Center (IC3) by filing a complaint at www.ic3.gov.
Pop-Up Security Warnings Pose Threats
S!ri, a well known and respected malware fighter in the security community, wrote that some webmasters (cleaner affiliates) regularly use the screenshots that he made after analyzing a rogue, in their own blog posts.
The cleaner affiliates write about the dangerousness of the rogue and link to a “Free” Scan or “Free” Removal tool which may not be free at all.
So I decided to MAKE a picture of a new rogue that does NOT exist: Secure Shield. I post the picture and wait for the “serious” guys.
Those guys are inventing files, folders and keys name.
Secure Shield fake rogue
While performing a search I saw the red warning circle given by Web Of Trust (WOT) to sites they have rated dangerous.
Normally one should stop there people but I was digging. In a clean, uninfected virtual machine I opened the url which took awhile to load its nasty stuff and then the popups began.
“Don’t close this window if your want you PC to be clean”
Certifiedbug. September 6, 2008.
Harry Waldon has a nice article Malware Close Encounters – Close Pop-ups using Task Manager to safely exit which could help users to exit a pop-up install before too much damage is inflicted.