Rogue:Win32/FakePAV reappeared about two weeks ago after a brief hiatus and since then we’ve been seeing variants with new names for themselves just about every day. The latest versions call themselves names like “Windows Threats Destroyer”, “Windows Firewall Constructor”, “Windows Attacks Preventor” and “Windows Basic Antivirus”. You can see some examples of these iterations below.
Each sample of FakePAV is distributed as a self-extracting RAR archive, which contains a second self-extracting RAR archive. This second, “inner” archive contains the rogue executable itself, but it is password-protected; simply trying to extract it without knowing the password doesn’t work. So how does the actual rogue get extracted and run? The first, “outer” RAR archive contains a script which tells the self-extractor what to do when the self-extractor runs. This script includes the command to execute the inner archive with a parameter that contains the password. Initially they were using scripts like this:
TempMode
Setup=temp.exe -e -p1329827306
Silent=1
Overwrite=1
Update=U
This script tells the RAR self-extractor to extract the file inside (“temp.exe” in this case) to the temporary folder and run it with the parameters “-e” (extract) and “-p1329827306” (use the password “1329827306”). The other lines of the script make sure that nothing is displayed while this happens and that any existing files are automatically replaced.
In the last few days they’ve started obfuscating these scripts, probably to make it harder for anti-malware scanners to detect them. Because RAR self-extractor scripts are stored as part of the archive comment, essentially anything that the self-extractor doesn’t recognize as an instruction is ignored, meaning pretty much any text can be added without changing the functionality. The creators of Win32/FakePAV have chosen to use excerpts from Shakespeare’s Romeo and Juliet. For example (with instructions highlighted in yellow):
Exeunt [all but Juliet and Nurse].
Jul. Come hither, nurse. What is yond gentleman?
Nurse. The son and heir of old Tiberio.
Jul. What’s he that now is going out of door?
Nurse. Marry, that, I think, be young Petruchio.
Jul. What’s he that follows there, that would not dance?
Nurse. I know not.
Jul. Go ask his name.- If he be married,
My grave is like to be my wedding bed.
Nurse. His name is Romeo, and a Montague,
The only son of your great enemy.
Jul. My only love, sprung from my only hate!
Too early seen unknown, and known too late!
Prodigious birth of love it is to me
That I must love a loathed enemy.
Nurse. What’s this? what’s this?
Jul. A rhyme I learnt even now
Of one I danc’d withal.
One calls within, ‘Juliet.’
Nurse. Anon, anon!
Come, let’s away; the strangers all are gone. Exeunt.
PROLOGUE
Enter Chorus.
Chor. Now old desire doth in his deathbed lie,
And young affection gapes to be his heir;
That fair for which love groan’d for and would die,
With tender Juliet match’d, is now not fair.
Overwrite=1
Now Romeo is belov’d, and loves again,
Alike bewitched by the charm of looks;
But to his foe suppos’d he must complain,
TempMode
And she steal love’s sweet bait from fearful hooks.
Being held a foe, he may not have access
To breathe such vows as lovers use to swear,
And she as much in love, her means much less
To meet her new beloved anywhere;
But passion lends them power, time means, to meet,
Temp’ring extremities with extreme sweet. Exit.
ACT II. Scene I. A lane by the wall of Capulet’s orchard.
Enter Romeo alone.
Rom. Can I go forward when my heart is here?
Turn back, dull earth, and find thy centre out.
[Climbs the wall and leaps down within it.]
Enter Benvolio with Mercutio.
Ben. Romeo! my cousin Romeo! Romeo!
Mer. He is wise,
And, on my life, hath stol’n him home to bed.
Ben. He ran this way, and leapt this orchard wall.
Call, good Mercutio.
Mer. Nay, I’ll conjure too.
Romeo! humours! madman! passion! lover!
Appear thou in the likeness of a sigh;
Speak but one rhyme, and I am satisfied!
Update=U
Cry but ‘Ay me!’ pronounce but ‘love’ and ‘dove’;
Speak to my gossip Venus one fair word,
One nickname for her purblind son and heir,
Young Adam Cupid, he that shot so trim
When King Cophetua lov’d the beggar maid!
He heareth not, he stirreth not, be moveth not;
The ape is dead, and I must conjure him.
I conjure thee by Rosaline’s bright eyes.
Setup=ww66viiszer85c7.exe -e -pz339dwh29n368u5
By her high forehead and her scarlet lip,
By her fine foot, straight leg, and quivering thigh,
And the demesnes that there adjacent lie,
That in thy likeness thou appear to us!
Ben. An if he hear thee, thou wilt anger him.
Mer. This cannot anger him. ‘Twould anger him
To raise a spirit in his mistress’ circle
Of some strange nature, letting it there stand
Till she had laid it and conjur’d it down.
That were some spite; my invocation
Is fair and honest: in his mistress’ name,
I conjure only but to raise up him.
Ben. Come, he hath hid himself among these trees
To be consorted with the humorous night.
Blind is his love and best befits the dark.
Mer. If love be blind, love cannot hit the mark.
Now will he sit under a medlar tree
And wish his mistress were that kind of fruit
As maids call medlars when they laugh alone.
O, Romeo, that she were, O that she were
An open et cetera, thou a pop’rin pear!
Romeo, good night. I’ll to my truckle-bed;
This field-bed is too cold for me to sleep.
Come, shall we go?
Ben. Go then, for ’tis in vain
‘To seek him here that means not to be found.
Exeunt.
Scene II. Capulet’s orchard.
Enter Romeo.
Rom. He jests at scars that never felt a wound.
Silent=1
Enter Juliet above at a window.
But soft! What light through yonder window breaks?
It is the East, and Juliet is the sun!
Arise, fair sun, and kill the envious moon,
Who is already sick and pale with grief
That thou her maid art far more fair than she.
Be not her maid, since she is envious.
Her vestal livery is but sick and green,
And none but fools do wear it. Cast it off.
It is my lady; O, it is my love!
O that she knew she were!
She speaks, yet she says nothing. What of that?
Her eye discourses; I will answer it.
The text used varies from sample to sample, as do the positions where the actual commands for the self-extractor are inserted. Here is an example from the inner archive, which extracts and runs the rogue itself (“filesystemscan.exe”):
By any other name would smell as sweet.
So Romeo would, were he not Romeo call’d,
Retain that dear perfection which he owes
Without that title. Romeo, doff thy name;
And for that name, which is no part of thee,
Take all myself.
Rom. I take thee at thy word.
Call me but love, and I’ll be new baptiz’d;
Henceforth I never will be Romeo.
Jul. What man art thou that, thus bescreen’d in night,
So stumblest on my counsel?
Rom. By a name
I know not how to tell thee who I am.
My name, dear saint, is hateful to myself,
Because it is an enemy to thee.
Had I it written, I would tear the word.
Jul. My ears have yet not drunk a hundred words
Of that tongue’s utterance, yet I know the sound.
Art thou not Romeo, and a Montague?
Rom. Neither, fair saint, if either thee dislike.
Jul. How cam’st thou hither, tell me, and wherefore?
The orchard walls are high and hard to climb,
And the place death, considering who thou art,
If any of my kinsmen find thee here.
Rom. With love’s light wings did I o’erperch these walls;
For stony limits cannot hold love out,
And what love can do, that dares love attempt.
Therefore thy kinsmen are no let to me.
Jul. If they do see thee, they will murther thee.
Rom. Alack, there lies more peril in thine eye
Than twenty of their swords! Look thou but sweet,
And I am proof against their enmity.
Jul. I would not for the world they saw thee here.
Rom. I have night’s cloak to hide me from their sight;
And but thou love me, let them find me here.
My life were better ended by their hate
Setup=filesystemscan.exe
Than death prorogued, wanting of thy love.
TempMode
Jul. By whose direction found’st thou out this place?
Rom. By love, that first did prompt me to enquire.
He lent me counsel, and I lent him eyes.
I am no pilot; yet, wert thou as far
As that vast shore wash’d with the farthest sea,
I would adventure for such merchandise.
Jul. Thou knowest the mask of night is on my face;
Else would a maiden blush bepaint my cheek
For that which thou hast heard me speak to-night.
Fain would I dwell on form- fain, fain deny
What I have spoke; but farewell compliment!
Dost thou love me, I know thou wilt say ‘Ay’;
And I will take thy word. Yet, if thou swear’st,
Thou mayst prove false. At lovers’ perjuries,
They say Jove laughs. O gentle Romeo,
If thou dost love, pronounce it faithfully.
Or if thou thinkest I am too quickly won,
I’ll frown, and be perverse, and say thee nay,
Update=U
So thou wilt woo; but else, not for the world.
In truth, fair Montague, I am too fond,
And therefore thou mayst think my haviour light;
Silent=1
But trust me, gentleman, I’ll prove more true
Than those that have more cunning to be strange.
I should have been more strange, I must confess,
But that thou overheard’st, ere I was ware,
My true-love passion. Therefore pardon me,
And not impute this yielding to light love,
Which the dark night hath so discovered.
Rom. Lady, by yonder blessed moon I swear,
That tips with silver all these fruit-tree tops-
Jul. O, swear not by the moon, th’ inconstant moon,
Overwrite=1
That monthly changes in her circled orb,
Lest that thy love prove likewise variable.
Rom. What shall I swear by?
Jul. Do not swear at all;
Or if thou wilt, swear by thy gracious self,
Which is the god of my idolatry,
And I’ll believe thee.
Rom. If my heart’s dear love-
Jul. Well, do not swear. Although I joy in thee,
I have no joy of this contract to-night.
It is too rash, too unadvis’d, too sudden;
Too like the lightning, which doth cease to be
Ere one can say ‘It lightens.’ Sweet, good night!
This bud of love, by summer’s ripening breath,
May prove a beauteous flow’r when next we meet.
Good night, good night! As sweet repose and rest
Come to thy heart as that within my breast!
Rom. O, wilt thou leave me so unsatisfied?
Jul. What satisfaction canst thou have to-night?
Rom. Th’ exchange of thy love’s faithful vow for mine.
Jul. I gave thee mine before thou didst request it;
And yet I would it were to give again.
Rom. Would’st thou withdraw it? For what purpose, love?
Jul. But to be frank and give it thee again.
And yet I wish but for the thing I have.
My bounty is as boundless as the sea,
My love as deep; the more I give to thee,
The more I have, for both are infinite.
I hear some noise within. Dear love, adieu!
[Nurse] calls within.
Anon, good nurse! Sweet Montague, be true.
Stay but a little, I will come again. [Exit.]
Rom. O blessed, blessed night! I am afeard,
Being in night, all this is but a dream,
Too flattering-sweet to be substantial.
Enter Juliet above.
Jul. Three words, dear Romeo, and good night indeed.
If that thy bent of love be honourable,
Thy purpose marriage, send me word to-morrow,
By one that I’ll procure to come to thee,
Where and what time thou wilt perform the rite;
And all my fortunes at thy foot I’ll lay
And follow thee my lord throughout the world.
Nurse. (within) Madam!
Jul. I come, anon.- But if thou meanest not well,
I do beseech thee-
Nurse. (within) Madam!
Jul. By-and-by I come.-
To cease thy suit and leave me to my grief.
To-morrow will I send.
These kind of tactics are aimed at making it difficult for anti-malware scanners to look inside the malware’s distribution package, and they highlight the need for real-time malware protection. For the malware to work, the malicious executable has to be written to disk at which point real-time protection can not only detect it but stop it from being executed.
Example SHA1: 5ff1f908274a4f27bbcbadc2dbd5c064ad2bf7a4
Hamish O’Dea
MMPC Melbourne
Leave a reply
