Fake anti-virus

Published: 2009-09-04
Last Updated: 2011-01-24 23:50:54 UTC
by Adrien de Beaupre (Version: 1)
12 comment(s)

Matt wrote in with the following:

"It might be a good idea to make end users aware that the fake-antivirus scan / trojan / ransomware people have raised the bar.  I'm planning to put together a small educational email to send to my end users.

I had a difficult malware extraction today.  One of our users ended up with Windows Police Pro (WPP) malware installed on her machine. I was really surprised at how tough this program was to clear, and ended up re-loading the machine via Ghost image.

In the past two days, I've heard of two reports of users getting infected, had to handle one myself, and got an email after work from a tech at a remote site.  It appears the fake-antivirus scammers have improved their game a lot. The initial 'lure' on the web has been polished quite a bit to get users to accept the program.

The issues that made Windows Police Pro especially hard to remove were:

1. The main program will not close, and will respawn if killed through Task Manager.
2. The program puts up fake Windows Security pop-ups that are very good copies of the original.
3. It contains a fake of the Windows Security control panel that is a very accurate reproduction.
4. It re-assigns actions for .exe files to its own command interpreter, desote.exe.  This program does not run any .exe chosen, just pops up an error window claiming the desired file is infected.  This action makes it impossible to install MalwareBytes or CCleaner, or even run just about anything else from within the infected session.

I tried to change the .exe assignment in the Registry, but ultimately just deleted the main WPP program files and desote.exe file (Windows Search would still work), which meant the machine came up with the 'I don't know what program to use to open this file' dialog when I clicked on the installer package.  I was able to manually find and run cmd.exe from the /Windows/System32 directory, and get CCleaner to install, but it did not fix the broken registry keys to re-stabilize the system.  At this point I just gave up pursuit, copied the user's files to USB drive, and reloaded from Ghost.

The only element of this that I thought was groundbreaking was the .exe hijack.  Otherwise it's just an impressive polishing job on a tired scam.

Users with only Windows knowledge, or otherwise without an alternate OS to use to cure this, will be at a big disadvantage."

Thanks Matt! Couldn't agree more.

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.

Keywords: fake antimalware
12 comment(s)

Comments

Whenever I run against a stubborn piece of malware such as this, I usually just boot off of a USB stick with Fedora LiveUSB or drop the hard disk into a seperate machine for disinfection. Trying to clean a live OS is just too time consuming.
Best of luck to anyone else who catches this thing.

I ran into this same virus about a week and a half ago using the name Antivirus Pro 2009. Same M.O., awe inspiring fake control panel, desote.exe.

The variant I was dealing was completely missed by everything at virustotal, but I was able to remove most of the startup scripts/services/etc using a xp PE boot cd.

Unfortunately, I couldn't prevent desote.exe from reactivating on boot.

I removed the rest of it using malwarebytes, but I had to resort to renaming all of the MBytes *.exe files to *.com.

It worked, and I was able to kill the rest of the virus by hand.

I played with it for a week and every time I rebooted the vm, the files had a different name, checksum, and were in different locations.

Also, the AV software would update and start catching this thing, but by the following day it had changed enough that the files were being missed again. (I was scanning the vm;s drive from a different vm, and rolling it back after each scan)

Not sure how we can fully protect users from this, but if anyone has any ideas, I'd love to hear them.
I'm curious, does the user of the infected machine have administrative rights? Would the malware manage to infect machine if user had only 'User' or 'Power User' rights?
Hijacking the EXE handler is not a new tactic. It used to be a very popular way to get the virus running if the autorun's got killed off.

The regkey responsible is:
HKEY_CLASSES_ROOT\exefile\shell\open\command
The (default) key should be set to:
"%1" %*

If you are unable to change the key, try doing an offline registry edit from a PE or other environment. Open the SOFTWARE hive and look under Classes\exefile\shell\open\command. Othewise, check the permissions of the key. I've seen more and more malware change permissions on reg keys to lock out dll's, or disable the windows update service.

As usual, a reinstall is always recommended, but sometimes that isn't an option.

Perhaps we should use their tactics against them and deny all write privileges to some things like the exefile class... I think I will try that out this week.
I'd like to see an example of Matt's (or anyone's) educational e-mail for users. Educated users are a good thing.
I had 2 or 3 incidents like this a few weeks ago. Not getting infected, but getting the fake AV screen. It turned out to be a drive by from wunderground.com ads. I notified wunderground and they were very responsive in getting it cleaned up. I was very impressed.
I have had a couple of customers get this as well. Seems it embeds itself in several ways and changes a lot of security permissions. My most recent variant had several files running called do_not_delete.exe which were the virus. When deleted, the system would no longer finish a login. It would crash and reboot. I do know where they got it from though. LimeWire! I have had too many get things this way. That file sharing service is giving me lots of business, but unfortunately a reinstall is usually necessary now. Too many settings changed that make the infection easier to recur I find, even if it can be defeated and removed. The door is still open...

-Al
Anyone have a link to virustotal or an MD5 of some/all of the involved files?
I too have been facing similar issues in the IT trenches. I was surprised at the results of some of my personal pen testing that I was able to so easily circumvent most of the popular A/V solutions deployed in corporate networks these days. It was only a matter of time before the bad guys made a run at this.

Why not have M$ use the magic number of a file to determine it's association? It would make much of the use of extension association issues completely mute. Of course the assocative app can still be hijacked... hhhmmm...

Has anyone been able to determine if this variant is sensitive to user rights? (Power User, User, etc). These are good lines of defense and often keep users in check as well which is always a good thing.
From whta Eldorel said, this thing morphs which effects file names, paths and MD5s as well.

Diary Archives