One of the (few) blessings of having been so long in this industry is that I remember a time when most malware was viral and Trojans were rare: so rare, in fact, that there was at one time a notorious "dirty dozen" set of Trojans.
At around the same time, there were innumerable hoaxes describing malware with some improbable payload. (They still exist, but we see much less of them.) Malware referenced in these hoaxes were generally described as viruses, or occasionally as Trojan viruses (not quite a contradiction in terms, but still confusing), but hardly ever as a Trojan. In fact, most of the malware described, if it could have existed at all, was alleged to arrive through email, and had no obvious self-replicative properties at all. Which, if you'll excuse a little definitional geekiness, would mean that it would, in fact, be better described as a Trojan.
Furthermore, most of those improbable payloads involved destruction, from the one that was supposed to eat the magnetic coating on your disk platters (Death69), to the ones like "A Virtual Card for you" that (slightly more believably) in some way "destroy" sector zero of your hard disk (well, you can render a hard disk unreadable by overwriting sectors..), to one called Death Ray. That was was supposed to lead to "dangerous short circuits and power surges. The end result? Explosions – powerful explosions."
Things have changed…
Nowadays, self-replicating malware is a small subset of the grand totality of known malware. And most Trojans aren't like the "arf-arf" data diddlers and destroyers of yore (or the mythical destroyers of hardware), but intended to steal data. Or, rather than being intended to render a system useless to its owner, they're intended to make it useful to some remote botmaster, for all the jobs that botnets can be used for (distributing spam, DDoS attacks, and so on).
However, there's one aspect of criminal activity where the exploitation of the victim's fear of the destruction of his systems and data is still very much to the fore, because it can be used as a source of profit. Generically, we call it extortion. Who wouldn't pay to avoid having their data deleted, or their eCommerce web site brought down by a DDoS attack, or to have furtively encrypted documents decrypted?
There are many ways of achieving this kind of attack, and some of them have been exploited by the same gangs who are best known for their fake AV systems. There have been many useless utilities that claim to do registry cleaning, system diagnostics, defragmentation, and so on, but actually do nothing but relieve you of some of your money.
Some are more aggressive. One type of fake utility attack, for example, encrypts your documents, then tells you that they are corrupted, and that you need to use a "utility" to repair them – at a price. All it does, of course, is restore them to their unencrypted form. In another variation a Trojan family that tells you that all your files have mysteriously vanished. (The
Some malware of the time was as wantonly malicious as those hoax viruses, though the effects may be less dramatic. For instance, variants of Dark Avenger (an MS-DOS file infector) corrupted hard disks by writing garbage or pointless messages to random sectors.
Nowadays, though, criminals executing this sort of scam don't really want to mangle your data. Not because they're basically nice people, but because there's no profit in it. (In fact, even back in the 90s there was malware that passworded Microsoft Office documents and tried to charge you for the password.) A threat family described by Eoin Ward and referenced by MSNBC conceals user files by moving them to a temporary location and makes other system changes to make it practically impossible for the average user to repair the damage himself. In the meantime, it's putting up messages to make him think his hard disk is failing. And then it offers a "recovery utility" that will repair the damage. (Note, however, that this isn't the first malware to attract the "FakeFrag" label.)
Fortunately, it's easier for a malicious web site to pop up a deceptive message inviting you to click on something that will install malware, than it is for a web site to execute the installation itself. (Though that happens too.)
So you can reduce the risk to your own system and data from crimeware like this in several ways:
- Be aware of the risk of following poisoned search engine links (Black Hat Search Engine Optimization) to malicious sites: trending topics usually attract BHSEO and fake AV, so think about which links you follow. Dependable news sites like MSNBC or the BBC obviously pose less of a risk than obscure sites with names that look tailored to the trend.
- Be aware that fake AV is evolving in many ways: not only in the type of "utility" offered but in the types of social engineering used and even the targeted platform.
- Beware of any unsolicited popup warning that doesn't come from something you know you installed yourself.
- Use a reputable AV product: AV may not detect every fake utility out there straightaway, but it certainly reduces the likelihood of your falling for such scams.
David Harley CITP FBCS CISSP
ESET Senior Research Fellow
Leave a reply