Trend Micro - Desenmascarando A Los Falsos Av

Transcript

Unmasking FAKEAV Trend Micro, Incorporated TrendLabsSM TrendLabs is Trend Micro’s global network of research, development, and support centers committed to 24 x 7 threat surveillance, attack prevention, and timely and seamless solutions delivery. A Trend Micro White Paper I June 2010 Unmasking FAKEAV CONTENTS INTRODUCTION ...............................................................................................................................4 FAKEAV INFECTION VECTORS ......................................................................................................5 Spammed Messages ..................................................................................................................5 Posing as Legitimate Antivirus or Anti-Spyware Programs .................................................5 Fake Codecs ...............................................................................................................................6 Search Engine Optimization Poisoning ...................................................................................7 Social Networking Sites ............................................................................................................7 Malvertisements........................................................................................................................7 Sponsored Sites.........................................................................................................................8 FAKEAV PROLIFERATION VIA MALICIOUS ROUTINES .............................................................9 Iframes .......................................................................................................................................9 Compromised Websites ................................................................................................................... 9 infeCted .HtmL fiLes .................................................................................................................... 9 Supporting Malware ..................................................................................................................9 droppers ........................................................................................................................................ 9 doWnLoaders .................................................................................................................................. 9 infeCtors ........................................................................................................................................ 11 Exploits ..................................................................................................................................... 11 MALWARE TRANSFORMATION ................................................................................................... 12 EVOLUTION OF FAKEAV .............................................................................................................. 13 NOTABLE MALWARE BEHAVIORS .............................................................................................. 14 Utilizes Various Stealth Routines ......................................................................................... 14 Terminates Processes ............................................................................................................. 14 Displays Pop-Up and Fake Warning Messages ...................................................................... 14 Displays Warning Messages When Viewing Search Results ................................................ 15 Drops Files ............................................................................................................................... 16 Displays Program Installation Prompts ................................................................................ 17 2 WHITE PAPER I UNMASKING FAKEAV Unmasking FAKEAV Redirects to FAKEAV Download Sites ................................................................................... 18 Modifies the Layered Service Provider.................................................................................. 19 Utilizes Registry Shell Spawning ........................................................................................... 19 Blocks Access to Sites and Displays a Warning Page.......................................................... 21 Connects to Porn Sites ........................................................................................................... 21 ONLINE AND LOCAL FAKEAV TYPES ....................................................................................... 22 Online FAKEAV Variants ....................................................................................................... 22 Local FAKEAV Variants ......................................................................................................... 23 PROTECTION AGAINST FAKEAV INFECTIONS ......................................................................... 24 RECOVERING FROM A FAKEAV INFECTION ............................................................................. 28 CONCLUSION ................................................................................................................................ 29 REFERENCES ............................................................................................................................... 30 3 WHITE PAPER I UNMASKING FAKEAV Unmasking FAKEAV INTRODUCTION This white paper aims to educate companies’ IT department staff on how rogue antivirus or FAKEAV applications arrive on systems. It aims to arm them with the right Trend Micro solutions that can help them combat these threats. FAKEAV threats have been rampant in the past few years and are definitely here to stay. Various FAKEAV variants have, in fact, infected millions of PCs and are continuously spreading worldwide. One key weakness in an organization is a user who may unknowingly open a malicious email attachment or click a URL that redirects to a malicious site. This paper aims to educate users on the different social engineering techniques cybercriminals use to proliferate their malicious creations, particularly FAKEAV. An educated user will be more cautious with what he/she does, which will result in fewer malware infections. The primary reason why FAKEAV infections have become well-known to users is because they have visual payloads. Variants of the malware family often display pop-up messages telling users that their machines have been infected. This may cause panic among users, pressuring them to purchase rogue antivirus applications in hopes of resolving the issue. Users should, however, never purchase antivirus software from unknown sources. 4 WHITE PAPER I UNMASKING FAKEAV Unmasking FAKEAV FAKEAV INFECTION VECTORS Cybercriminals use different social engineering techniques to trick users into downloading and installing FAKEAV onto their systems. User education is thus key to understand and battle this type of malware. The most common FAKEAV infection vectors will be discussed in more detail in the following sections. Spammed Messages Cybercriminals often use spammed messages that entice users to click embedded links that lead to the download of FAKEAV. Cybercriminals use different social engineering techniques to trick users into downloading and installing FAKEAV onto their systems. Figure 1. Sample FAKEAV spam Posing as Legitimate Antivirus or Anti-Spyware Programs Users who surf the Web in search of downloadable antivirus or anti-spyware programs may end up with links to FAKEAV sites in their search results. Using popular search engines like Google and Yahoo! is, after all, no guarantee that they will not come across malicious links as results. A lot of FAKEAV applications like XP Antivirus, Antivirus 2008, and Antivirus 2009, in fact, became popular since they could be easily downloaded from innocent- and professional-looking sites. 5 WHITE PAPER I UNMASKING FAKEAV Unmasking FAKEAV Codecs are plugins for applications that can easily be downloaded off the Internet. Figure 2. Malicious site where a rogue antivirus application could be downloaded from Fake Codecs Codecs are plug-ins for applications that can easily be downloaded off the Internet. Certain codecs are needed to play some types of media files that is why some videostreaming sites require users to download video codecs. Cybercriminals have identified this routine as another social engineering approach to push FAKEAV disguised as codecs that unsuspecting users could download and install onto their systems. Figure 3. FAKEAV purporting to be a video codec 6 WHITE PAPER I UNMASKING FAKEAV Unmasking FAKEAV Search Engine Optimization Poisoning Search engine optimization (SEO) is a process to increase traffic to a website in order to improve its ranking, thus allowing it to appear among the top search results. Cybercriminals often use this technique to easily redirect users to the malicious sites they create. In July 2009, a FAKEAV variant rode on the popularity of a solar eclipse. Internet users searching for “solar eclipse 2009 in America” using popular engines like Google were led to a site where a script-based FAKEAV was hosted. SEO is a process to increase traffic to a website in order to improve its ranking, thus allowing it to appear among the top search results. Figure 4. Malicious link that led to a FAKEAV download Social Networking Sites Social networking sites such as Twitter and Facebook have also become notable sources of FAKEAV variants. Fake social network accounts were created to host messages like the one below, which contain links that lead to FAKEAV sites. Figure 5. Malicious links embedded in social network messages Malvertisements Some malicious advertisements aka malvertisements in compromised sites can also lead to a FAKEAV infection. A popular newspaper website has, in fact, fallen prey to this scheme in September last year. 7 WHITE PAPER I UNMASKING FAKEAV Unmasking FAKEAV Sponsored Sites In September 2009, malicious links that led to the download of a FAKEAV variant were discovered as one of several search engines’ sponsored sites. Figure 6. Malicious FAKEAV download link to a supposed sponsored site 8 WHITE PAPER I UNMASKING FAKEAV Unmasking FAKEAV FAKEAV PROLIFERATION VIA MALICIOUS ROUTINES Iframes An iframe is a Web page element that functions as a document within a document or like a floating frame. It loads another .HTML document in-between