Thursday, April 15, 2010

Fake AV In the News

Last week I had the opportunity to speak to the IT-360 conference in Toronto, Canada. One of the points that I made in my talk was that we need to respond differently to malware. Rather than just deleting the malware, those who are able should spend a bit of additional time to gather intelligence and share that intelligence with the public and law enforcement. Brian Jackson from ITBusiness Canada took that message to heart, and contacted our lab this week to ask what we could tell him about a curious Google search that he performed.

Brian was looking for more information on the plane involved in the recent death of the President of Poland, a plane known as a "TU-154" called a "Careless" by NATO. When he did his Google search:

TU-154 Careless

nine of the top ten hits he got back were links to pages containing malware. He tells his own version of the story in his article Hackers exploit Polish President's death with scareware attack. Now, even three days later, several of the top Google results still are pointing to malware sites, including:

haroldmedia.com.au
insidekbm.com
innerproductsgroup.com

We passed Brian's request for research to our Malware Analysis group, led by UAB Computer & Information Sciences Masters student, Brian Tanner, who was able to give a quick response to the request - having a strong understanding of what was going on in the first thirty minutes, including identifying a high school website in North Alabama that had been compromised to help distribute the malware! Others joined Brian in the analysis to provide more details.

These sites are running extreme SEO malware - Search Engine Optimization pages which function by building "news headline" sites designed to achieve top Google ranks. For instance, Google is currently indexing 741 unique news headlines pointing off the InnerProductsGroup website, most are current news headlines or "hot searches" such as:

mine rescue teams
mine rescue chambers
frank lucas wife
new york times crossword answers
mega piranha trailer
nbc news brian williams
kristen stewart budapest
tupolev 154 cockpit
the katyn massacre movie
national katyn massacre movie
smolensk airport
jack johnson tour dates usa 2010
spartacus episode 12
Remax.com Homes For Sale Houston

Here's an example from that list - a search for "Kristen Stewart Budapest" shows three malware pages in the top ten results on Google, in positions #4, #7, and #9 for me, but only one of the three is currently properly labeled as "This Site May Harm Your Computer"



What happens if you visit one of these sites? It launches a malware installation of a part that we call "Fake AV" malware. Let me start by showing you what one of these LOOKS like:



Clicking OK results in a web page that appears to be doing a Virus Scan.



The AV, which was really a web page, then says it needs to be updated, and offers an update for you to install.


Running that one actually does install the Fake AV product.




After installing the Fake AV, many imaginary viruses on your computer are "detected", and you are asked if you would like to "Remove All".



Choosing "Remove All" prompts you for credit card information, offering several purchase plans ranging from $49.95 to $89.95 for a "lifetime" Fake AV product.




If you decide not to complete the transaction, you will be bugged relentlessly with pop-ups like these.




Reporting ScareWare



Sounds scary, doesn't it? The industry calls this type of malware "Scareware". Its going to keep trying to make you believe that the only way to keep your machine safe is to give the criminal your credit card information.

Last June, the US Government's Federal Trade Commission fined one of these Scareware vendors $1.9 Million for selling more than 1 million copies of his fake anti-virus software! That's proof that people really do get victimized by this software! I experienced some of James Reno and Innovative Marketing's software first hand when I visited a hotel in San Diego last year. The Business Office computers were all "protected" with one of their fake anti-virus software packages.

There's big money in Fake AV, which is why the current gang continues so diligently even after seeing one of their fellows fined $1.9 Million!

If you've been scammed by these criminals, be sure to file a complaint! I recommend complaining to the FBI's Internet Crime & Complaint Center (ic3.gov). Because of the FTC's previous involvement with Fake AV, you might also want to file your complaint there using their FTC Complaint Assistant.

While neither of these complaint forms is ideally suited for dealing with a Fake AV product, both do offer the opportunity to enter a free-form complaint towards the end of the process. Put as much descriptive detail as you can there.

(Watch FTC Video ScamWatch: How To File A Complaint.)

How does it work?



The sites that have been SEO optimized to show up in news headline and other popular searches act as redirectors. If you type the URL in directly, it forwards you to CNN.com. If you are REFERRED to the URL from Google, Yahoo, or Bing, you are redirected instead to the fake "scanner" page. That page will vary widely, but it started in our case above with a redirect to:

www.bestsafety9.xorg.pl

That first copy of the malware it installed, "packupdate_build8_195_2.exe" was only lightly detected. In a VirusTotal Report on this malware, only 8 out of 40 anti-virus products detected this software as malicious. Major products including ClamAV, F-Prot, Kaspersky, McAfee, Sophos, and Symantec did not report this software as malware.

We let the software run in the lab for a bit to see what computers it would connect to. Here's a partial list:

myfairland.com (91.207.192.24) - Sam Tam, UK
paymentsafety.net (94.102.63.61) - Ecatel, NL (nameserver = 64.86.16.19)
report.land-protection.com (91.207.192.24) - Sam Tam, UK
update1.winsystemupdates.com (188.124.7.156) - Vital Teknoloji, TR
report1.stat-mx.xorg.pl (109.196.132.41) - Vline, Ltd, Moscow
update2.winsystemupdates.com (93.186.124.92) Vital Teknoloji, TR
secure1.safepayzone.xorg.pl (188.124.7.158) Vital Teknoloji, TR
virtest.com (95.169.186.3) - Keyweb, RU - ICQ: 570352881 / virtest@gmail.com
invoiceerica.com (213.229.83.84) - ?? Bluesquare House, Berkshire, UK?
webpaybill.net (66.197.156.53) - NOC, Inc, Scranton, Pennsylvania
system-defender2010.com (91.212.226.199) - Artem Zhirkov, Russia
update1.savecompnow.com (188.124.7.158) Vital Teknoloji, TR

"virtest.com" is a service similar to Virus Total, only this one is clearly run to help criminals determine if there malware is detected or not. VirusTotal, run by white hat security researchers in Spain, shares details of submitted viruses with all participating anti-virus companies. VirTest is almost the opposite. As our friends at Damballa pointed out recently, VirTest charges money to scan your submitted malware and pledges anonymity and that your submissions will NEVER be shared with anti-virus vendors. Our infected computer constantly checked VirTest to see whether it was detected or not. After a while, the malware replaced itself with some new code that we found running from the location:

C:\Documents and Settings\All Users\Application Data\ea73a34\CUea73.exe /s /i /uid=195 /ls=6

That copy of the malware was only detected by 5 of 39 anti-virus products, according to this VirusTotal Report.

After this software ran, we noticed changes in our HOSTS file. All Google sites, for many different country codes, as well as Bing and Yahoo! search pages were being redirected via the HOSTS file to point to 209.212.147.138. That's on the Coloquest network in Arlington Heights, Illinois.

Many of the domains we linked to were hosted on common IP addresses with other domains, such as:

softdialogonline.com
windowspc-defender.com
online-systemscanner.com
system-updates.net

Several of those domains are registered to "Garritt Kooken" with Netherlands email address gkook@checkjemail.nl, who strangely uses the Chinese telephone number +86.592257788 despite having a street address in India.

Mr. Kooken really likes to make fake AV product websites, and hosts many of them on Ecatel in the Netherlands, such as:

best-pc-defender.net
cleanupantivirus.com (94.102.63.64)
cleanviron-mypc.net
dopc-checkprotect.in
exodus130.com
fast-guardcleaneronpc.net
fastscanandcleansoft.com
fastzone-guard.com
holduponyourpc.com
hotcleanof-yourpc.net
lastcheckonmy-zone.net
new-system-defender.net
on-guardzone.com
paymentsafety.net (94.102.63.61)
pcliveguard.com (94.102.63.65)
pcregrtuy.com
safeantivirus.net
safetypcprotection.net
save-secure.com
search4vir.net
securityantivirus.net (94.102.63.67)
seekviron-mypc.net
systemmdefender.com  (94.102.63.61)
systemmguard.com
systemonlinepayment.com
thebestcleanofpc.net
windowsadditionalguard.net
winguard-pro.com
xmopolit67re.com
your-securepayment.com   (94.102.63.61)
your-staffdefender.com
yourzone-best-defender.com

Looking at some IP Neighbors for computers our infected lab machine connected to, we find:

Looking at some "IP Neighbors":

Ecatel of the Netherlands (AS29073)
-----------------------------------
safety-payment.net - 94.102.63.62
safetypayment.net - 94.102.63.62
secures-guard.com - 94.102.63.64
systemmguard.com - 94.102.63.64
cleanupantivirus.com - 94.102.63.64
windowspc-defender.com 94.102.63.65
windowsguard-pro.com - 94.102.63.68
safeantivirus.net = 94.102.63.69
paymentsecurity.net = 94.102.63.69
secure.greywall.net = 94.102.63.69

on Vital Teknoloji in Turkey (AS44565)
------------------------------
update1.winsystemupdate.xorg.pl - 188.124.7.155
securemyfield.com - 188.124.7.156
newsystem-guard.com - 188.124.7.156
update1.winsystemupdates.com - 188.124.7.156
savecompnow.com - 188.124.7.156
newsystem-guard.net - 188.124.7.156
secure1.safetypayment.xorg.pl - 188.124.7.158
newsystemshield.net - 188.124.7.158

on Vline Ltd in Moscow (AS39150)
-----------------------------
www3.tr-leech-kl.xorg.pl - 109.196.132.41
update2.sysupdate-n2.xorg.pl - 109.196.132.41
update2.sysupdt-n2.xorg.pl - 109.196.132.41
report1.stat-mx.xorgl.pl - 109.196.132.41
www1.free-scan-offer-nl.xorg.pl - 109.196.132.40
update1.sysupdate-n3.xorg.pl - 109.196.132.40
www1.best-free-scan-deal-k24.xorg.pl - 109.196.132.40
www1.best-free-scan-deal-nihob.xorg.pl - 109.196.132.40

Unfortunately this is just a drop in the bucket. This bad guy has 1800 domain names to his registration.

Our friend Dancho Danchev mentioned gkook in his series A Diverse Portfolio of Fake Security Software back in December.

A search at the excellent MalwareURL.com shows that this email address has been associated with this type of malware since at least October 9th, when "windows-pcdefender.com" was being reported.

Kimberly at Stop Malvertising did an excellent write-up showing this criminal poisoning searches for St Patrick's Day Celebrations.

She also reported back on December 1, 2009, that Tiger Woods SEO poisoning was leading to Fake AV products in this same group.

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.