The FakeAV business faced a decrease in the last few months. Due to federal law enforcement activities against the FakeAV industry and some major search engine optimizations to prevent blackhat seo poisoning, less infections of FakeAV programs were reported in the last five months. Despite those measures, FakeAV is still a serious threat to everyone who surfs the Internet. Once again, this fact makes the point because the G Data SecurityLabs have recently detected FakeAV online scanner scams that deceived many users once more.
Those scams are, individually seen, no new kind of scanner scams, but examined in a cross-border context, some interesting details about the evolution of scanner scams come to light.
During the last three weeks we observed FakeAV online scanner scams that try to lure users into installing malware when they open specially prepared websites that try to impersonate a virus scanner. Those websites themselves are not malicious, but their purpose definitely is. Over that period of time we downloaded various scanner pages and examined their code in detail.
Basically, most of these popular scanner pages try to simulate the Microsoft Windows Explorer layout and present a bogus malware scan to trick users into installing fake antivirus software. Although their behavior has been described numerous times, they are obviously still very popular with criminals because of their social engineering approach. The user’s fear of his/her system being infected still is enough to trick users into installing the rogue software that can seemingly offer help.
The types of scanners we discovered tried to impersonate the layout of Windows XP and Windows 7. The procedure when a user opens the scanner website is always the same, only the websites’ layouts differ. However, a user doesn’t normally visit those websites on purpose. Most of the time, the user reaches it after a chain of redirections, which is triggered by clicking a harmless link on a website the user originally visited. Those harmless websites are sometimes exploited and existing links are then edited in a way that a user gets redirected to the evil scam site. The redirection happens, not visible for the user, and the original visited websites’ reputation is abused to make the scam appear credible. The following section provides an overview of the examined types of scanner pages.
Step 1: Bogus warning
These warnings just differ in syntax and web layout in terms of the used browser.
Step 2: Fake system scan
The examined code indicates that all scanner pages were probably initially coded by a small group of people or a single person only, because many used code fragments were basically identical. Also, the Cascading Style Sheets, that were used to recreate the Windows Explorer look, had a consistent structure. Even the used names for the CSS items were almost the same in each scanner version.
The pictures embedded in the CSS are also worth a comment. While the pictures in some XP style versions have meaningful names like “hdd” or “progressbar”, in some later versions of the Windows 7 style scanners, those pictures have random names and it can be assumed that the pictures were renamed by an automated mechanism to evade detection.
When it comes to a dynamic adjustment of the sites’ layout, none of the discovered sites takes the trouble to check the User Agent to set the site’s layout accordingly to the used operating system.
Since when do we have a Microsoft Windows layout under Linux?
It can be assumed that criminals don’t bother with that because the vast majority of users have a Microsoft Windows operating system anyway. The only method of an adjustment we found was a server that hosted both Windows layouts and checked the User Agent to load the correct Windows layout.
These obfuscation techniques mentioned are used to hamper a manual code inspection from a security analyst, as well as an automated inspection with a tool. The fact that some pages use obfuscation while others don’t, hardens the assumption that these pages were created by a small group of people that sold their code to other criminals who then subsequently added techniques to obfuscate their code the raised the bar for analysts When we deobfuscated the different scripts, all scripts were basically identical with the ones we found in plain text.
Step 3: Fake scan results and bogus software
The discovered fake scanner pages were exclusively hosted on fast living free domain hosting sites, with an average lifetime of one day. One of the scanner pages was only accessible with Microsoft IE. In the case that this page is visited with Firefox, the user is directed to websites that contain adult content.
Step 4: Attempted Infection
How to avoid the download?
How to protect yourself from FakeAV in general
- Use a genuine and comprehensive AV product with current virus signatures, http-filter etc. to really protect your pc and all digital data.
- If you download software from the internet, download it from the software’s vendor’s web page or from download websites with a good reputation only.
- If a website shows you a download dialogue, check whether this actually is a file you intend to download. Those automatic pop-ups can also provide fake software.
- Always maintain the operating system and browser updated to the latest version and regularly install updates.
- Do not click hyperlinks thoughtlessly.
- Analyze the style of language and the orthography of the pop-ups and warnings displayed. Too many mistakes or odd phrasing hint at scam.
- Furthermore, e.g. a genuine Windows system tray pop-up would be displayed in your system language – If you are using a non-English Windows system, the real messages will appear in these non-English languages.
Leave a reply