Why is Rogue/Fake AV so successful?
Rogue AV programs have become increasingly common in last two years. We at the SANS Internet Storm Center get messages from our readers about new rogue AV sites daily.
It is obvious that the bad guys are making (serious?) money with this scamming scheme. There are couple of things interesting about rogue AV programs. First, the bad guys here do not use (in most cases) any sophisticated attacks on clients. They instead rely on visitors to wittingly install their "AV program". How do they do this? Through social engineering – they create web pages which are very authentic copy of legitimate screens in Windows operating systems. These web pages make visitors believe that their machine is infected with several malicious programs and that the offered "AV program" can help them clean it.
Once the rogue AV program is installed, the victim has to pay money to get it "working" or, in some cases to even uninstall it. So, the money making scheme is simple (some rogue AV versions even steal local data and install keyloggers).
In order to get people to visit their web sites serving rogue AV programs, the attackers use different vectors – they even follow news as only couple of hours after Patrick Swayze's death search engines were filled with bogus pages pointing to rogue AV programs.
The main reason, however, why rogue AV is so successful is its persistence and amount of details - the web page they use to scare the visitor looks almost exactly like Windows' Security Center. One such page is shown below:
I was, of course, interested to see what else they do so I decided to analyze the code behind. First of all, I must say that the code is very elegant and clean, it's obvious that the bad guys got a real programmer to code the page (and malware?) for them.
The web page uses JQuery, a well known and popular JavaScript library. After setting up the environment, the JavaScript code on the web page shows a fake scan of the machine with seemingly random file names. The file names are actually grabbed from a huge array contained in a separate file (flist.js). The file names in this array (there is 1100 of them) are actually copied from a Windows XP machine (C:WindowsSystem32 directory). This, of course, increases the authenticity of the scan.
After the scan finishes, the user is informed that the machine is infected with viruses. The JavaScript code on the web page initially set up some handlers, so no matter what the user does next he will see a window notifying him that his machine is infected (interesting, the attackers used JavaScript confirm() method to display this message).
Of course, this wasn't generated by Windows – it's actually just an image the attackers created. The "Remove all" and "Cancel" also aren't real buttons, just part of the image which has a handler that will get executed wherever the user clicks. You guess, on a click it will try to download the Rogue AV program. To eliminate any confusion, they also show this nice window where they explain what exactly needs to be done in order to install their rogue AV program.
It is now not strange that rogue AV programs are infecting so many machines. The devil is in the details, and the attackers made damn sure that all details are here to fool the potential victims.
--
Bojan
| Web App Penetration Testing and Ethical Hacking | Amsterdam | Mar 31st - Apr 5th 2025 |
Comments
joeblow
Sep 17th 2009
1 decade ago
RJX
Sep 17th 2009
1 decade ago
Just so you know I don't "just know computers" I am a Information Security Specialist and I know a lot more than computers. I also have to know vulnerabilities, how to exploit those vulnerabilities, how to fix those vulnerabilities, Networking, different OS's, and how to keep normal users from screwing the entire company over.
djenkins83
Sep 17th 2009
1 decade ago
Just so you know I don't "just know computers" I am a Information Security Specialist and I know a lot more than computers. I also have to know vulnerabilities, how to exploit those vulnerabilities, how to fix those vulnerabilities, Networking, different OS's, and how to keep normal users from screwing the entire company over.
djenkins83
Sep 17th 2009
1 decade ago
djenkins83
Sep 17th 2009
1 decade ago
https://www.virustotal.com/analisis/5a0022f6e17b10622d45f8ba85616be27264987e7750b868ab532c5a660cf31f-1253129224
Ramu
Sep 17th 2009
1 decade ago
m4tt
Sep 17th 2009
1 decade ago
In reality, the problem is the culture of antivirus and window security, in general. The market has conditioned the users into believing that "secure" means "secure" - when in fact, most security products are about as security related as the "ENCRYPTED/Secure Site" graphic in the bogus page sample, above. In a world where snake-oil abounds... statistically, this "fake" av product is only slightly less effective than most "legit" ones. Q.v. the virustotal comment above, lmao - and both the "fake" and "legit" have the same goal, and same technique - get the sucker's money, and make them "feel good".
Steven
Sep 17th 2009
1 decade ago
I'd be curious to see the web browser statistics on these sites.
Jason
Sep 17th 2009
1 decade ago
Some new ones that have shown up since yesterday at about noon (EDT) also attempt to load a proxy and I assume a data grab tool as well.
The way these things are written it seems they time out on some machines after they reconfigure the network layer and do not re-enable the LAN adapter. Of course, if finding 3 that failed to do this, chances are there are a lot more that succeeded.
Hold on.. rough ride ahead! -Al
Al
Sep 17th 2009
1 decade ago