Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Fake anti-virus InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Fake anti-virus

Published: 2009-09-04
Last Updated: 2011-01-24 23:50:54 UTC
by Adrien de Beaupre (Version: 1)
12 comment(s)

Matt wrote in with the following:

"It might be a good idea to make end users aware that the fake-antivirus scan / trojan / ransomware people have raised the bar.  I'm planning to put together a small educational email to send to my end users.

I had a difficult malware extraction today.  One of our users ended up with Windows Police Pro (WPP) malware installed on her machine. I was really surprised at how tough this program was to clear, and ended up re-loading the machine via Ghost image.

In the past two days, I've heard of two reports of users getting infected, had to handle one myself, and got an email after work from a tech at a remote site.  It appears the fake-antivirus scammers have improved their game a lot. The initial 'lure' on the web has been polished quite a bit to get users to accept the program.

The issues that made Windows Police Pro especially hard to remove were:

1. The main program will not close, and will respawn if killed through Task Manager.
2. The program puts up fake Windows Security pop-ups that are very good copies of the original.
3. It contains a fake of the Windows Security control panel that is a very accurate reproduction.
4. It re-assigns actions for .exe files to its own command interpreter, desote.exe.  This program does not run any .exe chosen, just pops up an error window claiming the desired file is infected.  This action makes it impossible to install MalwareBytes or CCleaner, or even run just about anything else from within the infected session.

I tried to change the .exe assignment in the Registry, but ultimately just deleted the main WPP program files and desote.exe file (Windows Search would still work), which meant the machine came up with the 'I don't know what program to use to open this file' dialog when I clicked on the installer package.  I was able to manually find and run cmd.exe from the /Windows/System32 directory, and get CCleaner to install, but it did not fix the broken registry keys to re-stabilize the system.  At this point I just gave up pursuit, copied the user's files to USB drive, and reloaded from Ghost.

The only element of this that I thought was groundbreaking was the .exe hijack.  Otherwise it's just an impressive polishing job on a tired scam.

Users with only Windows knowledge, or otherwise without an alternate OS to use to cure this, will be at a big disadvantage."

Thanks Matt! Couldn't agree more.

Adrien de Beaupré Inc.

Keywords: fake antimalware
12 comment(s)
Diary Archives