LeetLink Tips: September 2009

Recently I had to remove a scareware infection from a customer’s network. This was a real “bear.” It turned out to be two infections, one on each of two computers. One was scareware; the other was a trojan. The scareware on the one computer was very sophisticated. It disabled or took over the existing antivirus software (McAffee) and prohibited any new virus or malware software from running. I couldn’t even install new virus or malware software. In addition, there was no reliable information on this scareware on the internet. Here’s a picture that first introduced the existence of the scareware:

Then they were given the “opportunity” to purchase the software to fix the problem:

Below I’m republishing an article on scareware. It has a lot of good information in it. It was difficult for me to read because the grammar was incorrect; obviously the writer was foreign and was doing a literal translation from his language. I’ve fixed some of the wording, so I hope it makes some sense.

The key take-away from this is to NOT click on anything that looks like security software. Don’t even click on the x in the upper right corner. If you do anything to indicate you’ve seen any of the popups, the scareware software will install, communicate to it’s client somewhere on the internet, and you will be caught in its web. The cost of removing the beast can be anywhere from $20 to $100, depending on the nature of the beast. (Those are my prices; if you use someone else, count on $90 to $300; it is almost worth buying another computer.

Here’s the article:

Scareware Primer

The following article was copied from http://blogs.zdnet.com/security/?p=4297. The author information is:

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog. See his full profile and disclosure of his industry affiliations.

I’ve changed some of the wording to correct grammatical mistakes.

Throughout the last two years, scareware (fake security software) quickly emerged as the single most profitable strategy for cybercriminals. Due to aggressive advertising practices applied by the cybercrime gangs, thousands of users fall victim to the scam daily, with the gangs themselves earning hundreds of thousands of dollars.

Q3 2009 was has been the most active quarter to date, due to the high “pay-out” rate compared to other internet scams.

This is an end user-friendly guide on what scareware is, the risks posed by installing it, what it looks like, its delivery channels, and most importantly, how to recognize it, avoid it, and report it to the security community.

What is scareware?

Basically, scareware, also known as rogueware or put in simple terms, fake security software, is a legitimately looking application that is delivered to the end user through illegal traffic acquisition tactics starting from compromised web sites (Sony PlayStation’s site SQL injected, redirecting to rogue security software), malvertising (MSN Norway serving Flash exploits through malvertising; Fake Antivirus XP pops-up at Cleveland.com; Scareware pops-up at FoxNews; Ukrainian “Fan Club” Features Malvertisement at NYTimes.com), or blackhat search engine optimization (9/11 related keywords hijacked to serve scareware; The most dangerous celebrities to search for in 2009; The Web’s most dangerous keywords to search for), to ultimately attempt to trick the user into believing their computer is already infected with malware, and that purchasing the application will help them get rid of it.

Upon execution, certain scareware releases will not only prevent legitimate security software from loading, but it will also prevent it from reaching its update locations in an attempt to ensure that the end user will not be able to get the latest signatures database. Moreover, it will also attempt to make its removal a time-consuming process by blocking system tools and third-party applications from executing.

There have also been cases where scareware with elements of ransomware has been encrypting an infected user’s files, demanding a purchase in order to decrypt them, as well as a single reported incident where a scareware domains was also embedded with client-side exploits.

For the time being, scareware releases are exclusively targeting Microsoft Windows users.

The characteristics of scareware - pattern recognition for a scam

Scareware sites all share a very common set of deceptive advertising practices. You can use these practices to spot the scammer.

For instance, the majority of scareware sites attempt to build more authenticity into their propositions by using “non-clickable” icons of reputable technology web sites and performance evaluating services, such as PC Magazine Editors’ Choice award, Microsoft Certified Partner, ICSA Labs Certified, Westcoast Labs Certified, Certified by Softpedia, CNET Editors’ Choice, as well as ZDNet Reviews — the real ZDNet Reviews.

Yet another popular social engineering tactic are the fake comparative review templates, basically showing a chart where the scareware outperforms software offered by some of the leading security companies.

The attached screenshot indicates how three different scareware brands (Virus Shield 2009, Windows Security Suite and Malware Destructor 2009) are all using the same template claiming their superiority over legitimate security software.

The primary tactic is to simulate a real-time antivirus scanning in progress dialog, which in reality is nothing else but a static script, with anecdotal cases where Mac users are presented with a Windows-like My Documents folder window.

The scanner’s results are static, fake and have absolutely no access to your hard drive, therefore the claims that “You’re Infected!; Windows has been infected; Warning: Malware Infections founds; Malware threat detected” should be considered a fear mongering tactic.

Legitimate online free malware scanners include, but are not limited to:

Among the key characteristics of scareware are the professional site layout, as well as the persistent re-branding- changing the name of the product-in an attempt to shift the end user’s attention from the previous brand’s increasingly bad reputation across the web. Combined, these characteristics result in an efficient social engineering driven scam that daily tricks thousands of victims.

The delivery channels and traffic hijacking tactics of scareware campaigns

There’s a high probability that your last encounter with scareware came totally out of blue. Despite the tact that cybecriminals are always looking for new push and pull strategies for their malware releases, there are several tactics currently representing the most popular delivery channels for scareware. Let’s review some of them.

Blackhat search engine optimization (SEO) - blackhat search engine optimization remains the traffic acquisition method of choice for the majority of cybercriminals looks for quick ways to hijacking as much traffic as possible using real-time events as themes for their campaigns. This tactic consists of hundreds of thousands of hijacked keywords parked on domains maintained by the criminals. Upon visiting any them, the user is tricked into believing the site is serving legitimate content end user, but the reality is that the browser is automatically redirected to a simulated real-time antivirus scanning screen.

The relevance of the themes is automatically syndicated from public services such as Google Trends in order to ensure that the window of opportunity for a particular event is hijacked for the purpose of serving scareware. It’s important to point out that each and every campaign relies on the end user’s gullibility to manually download and execute the scareware.

Some of the ongoing blackhat SEO campaigns include - 9/11 related keywords hijacked to serve scareware; Federal forms themed blackhat SEO campaign serving scareware and News Items Themed Blackhat SEO Campaign Still Active

Systematic abuse of social networks/Web 2.0 services - there hasn’t been a single social network or Web 2.0 service that hasn’t been abused for scareware serving purposes. From Twitter, Scribd and LinkedIn to Digg and Google Video, the systematic abuse of these services through the automatic registration of hundreds of accounts by outsourcing the CAPTCHA-recognition process, remains an active asset in the arsenal of the scareware campaigner
Malvertising (malicious advertising) - malvertising is the practice of serving malicious ads on legitimate and high profile sites in an attempt to exploit the end user’s trust in their ability to filter out such ads. Notable cases where scareware windows pop-up out of the blue include - Fake Antivirus XP pops-up at Cleveland.com; Scareware pops-up at FoxNews, Digg, MSNBC and Newsweek scareware campaign through malvertising
Pushed by some of the most prolific botnets such as Conficker and Koobface - The Koobface botnet gang which I’ve been tracking over the past couple of months, is not only among the most active blackhat SEO cybercrime enterprises online — at least for the time being — but there have been cases where they’ve been directly installing scareware on Koobface infected hosts. Despite its current idleness, the Conficker botnet gang has already made three attempts to monetize the millions of infected hosts, by reselling access to them to two different gangs, but has also attempted to install scareware on them

Now that you know what scareware is and how it reaches you, it’s time to review some of practical ways for recognizing, avoiding and reporting it to the security community for further analysis.

scareware

Recognizing the bad apples and flagging them

Due to the dynamic and constant re-branding of known scareware releases, maintaining a list of brands to recognize, avoid and be suspicious about is highly impractical.

However, the most logical approach is to maintain a list of legitimate antivirus software vendors in an attempt to raise more suspicion on those who are not within the list. One such list is maintained by the CCSS (Common Computing Security Standards Forum), and for the time being includes the following vendors:

AhnLab (V3)
Antiy Labs (Antiy-AVL)
Aladdin (eSafe)
ALWIL (Avast! Antivirus)
Authentium (Command Antivirus)
AVG Technologies (AVG)
Avira (AntiVir)
Cat Computer Services (Quick Heal)
ClamAV (ClamAV)
Comodo (Comodo)
CA Inc. (Vet)
Doctor Web, Ltd. (DrWeb)
Emsi Software GmbH (a-squared)
Eset Software (ESET NOD32)
Fortinet (Fortinet)
FRISK Software (F-Prot)
F-Secure (F-Secure)
G DATA Software (GData)
Hacksoft (The Hacker)
Hauri (ViRobot)
Ikarus Software (Ikarus)
INCA Internet (nProtect)
K7 Computing (K7AntiVirus)
Kaspersky Lab (AVP)
McAfee (VirusScan)
Microsoft (Malware Protection)
Norman (Norman Antivirus)
Panda Security (Panda Platinum)
PC Tools (PCTools)
Prevx (Prevx1)
Rising Antivirus (Rising)
Secure Computing (SecureWeb)
BitDefender GmbH (BitDefender)
Sophos (SAV)
Sunbelt Software (Antivirus)
Symantec (Norton Antivirus)
VirusBlokAda (VBA32)
Trend Micro (TrendMicro)
VirusBuster (VirusBuster)

An alternative list of legitimate antivirus software providers is also maintained by the VirusTotal service.

If you’re serious about security and care about your data, you wouldn’t trust your computer’s integrity to an application called Doctor Antivirus 2008, Spyware Preventer 2009, Power Antivirus, Total Virus Protection, Malware Destructor 2009, Cleaner 2009, Smart Antivirus 2009, Antivirus VIP or Advanced Antivirus 2009, would you?

Another practical step in recognizing scareware, is to research the potentially malicious domain in question by either using Google.com, or an investigative search engine maintained by Google’s Anti-Malvertising.com project. The search engine is using a database of sites maintaining lists of scareware related domains, and greatly increases the probability of seeing the suspicious domain in the results.

Keeping in mind that the end user has full control of the scareware window that popped-up on their screen — despite its modest resistance when attempting to close it down – downloading a copy of it, and once making sure you’re not going to execute it, submit it to a multiple antivirus scanning service such as VirusTotal.com to further ensure its real nature, may in fact help protect millions of users across the globe against this particular release since the service shares the malware binaries across multiple vendors.

The file submitted on the attached screenshot may not be detected by your antivirus vendor as scareware, but has already been flagged as scareware by several other.

Avoiding and preventing the scareware campaign

As in real-life virus outbreak, prevention is always better than the cure. In terms of scareware, handy Firefox-friendly add-ons such as NoScript — which you can see in action against an ongoing scareware campaign — can undermine the effectiveness of any scareware campaign, delivered through any of the distribution channels already discussed.

In a fraudulent scheme relying exclusively on social engineering tactics, fear in particular, and a business model that’s largely driven by the end user’s lack of awareness on this nearly perfect social engineering scam, vigilance, absence of gullibility and common sense suspicion remain your best protection.

Consider going through the “The ultimate guide to scareware protection” gallery

Have you been a victim of scareware, or has a scareware brand ever popped-up on your screen while browsing a legitimate web site? What do you think thousands of users purchase fake security software on a daily basis?