Not Even Security Managers Immune to FakeAV Infection

[nsane.forums]

Can you believe it? As I sat down this morning to write this column, I got hit by a drive-by download of FakeAV. My computer is infected with pop-up warnings and file scans telling me I have security problems, and Internet Explorer has been hijacked to keep sending me to a website where I can "purchase the software." Pop-ups are coming from my taskbar, showing up in the middle of the screen, and rifling through my files with a fake scan. My computer is being held for ransom.

How did this happen? And what am I going to do about it? I mean really, as a security manager you'd think I would be immune to this kind of problem. My antivirus software is up to date and actively scanning, and my system is fully patched. That's more than most people are doing. Fortunately, I also have current backups (more on that in a minute).

I wrote that a week ago. As it turned out, I had to do a lot more work to get rid of this infection than I anticipated.

I started with some research on what FakeAV is all about. I've been hearing a lot about it through word-of-mouth, and now I'm getting firsthand experience. According to Sophos, FakeAV is a rapidly growing threat on the Internet, mainly because it's profitable to the people who wrote and distributed it. Evidently, a lot of people are being tricked into sending money to these criminals to get back control of their computers. I hate to think how many people are being fooled by this malware into thinking it's a legitimate security scan. It would be a lot easier to just send them the money to get back control of my system. But I'm not going to let these guys win.

This is clearly a very advanced program. It looks exactly like the real Windows Security Center. It appears to be professionally programmed, with none of the crashes or bugs prevalent among more pedestrian malware.

Sophos says there are so many variants being released constantly that it can be difficult to detect using traditional signature-based antivirus, which is what I have. Even with the latest updates, the newest variants can get through. Some variants are also employing polymorphic code, which changes itself so frequently that the MD5 hashes used by antivirus programs cannot be effective. Well, that explains how I got it despite having a good, up-to-date antivirus product.

Earlier versions of FakeAV required the user to say "Yes" to something, such as a fake video codec installation to play a video or a fake Flash player update. Some even use the old-fashioned, tried-and-true technique of attaching the installer to a spam email notifying users of a password reset, package delivery or IRS refund, which I see a lot of at the office. But none of these is how I got infected. I was searching on Google. Search terms are being "poisoned" on Google. When an unsuspecting victim clicks on what seems to be a legitimate page, he is brought instead to a compromised website where the malware is lurking in an image or JavaScript code. When I'm searching on Google, I use CTRL-click to open interesting results in a new tab in Internet Explorer Version 8 (fully patched). Last week, when I did this, one of the pages I opened must have contained the JavaScript or image version. It opened in a new tab, where I left it for later viewing, and it infected my system. Pop-ups appeared, all my browser sessions closed, and my antivirus programs were disabled. This is what's known as a "drive-by download."

Now that I know what I'm up against, I tried running three different antivirus and malware-cleanup utilities I already have on my system. None of them worked. In fact, they wouldn't even start. I then tried killing the malicious process, but I couldn't find it (it's well hidden). I did find an entry in the system registry to run the malware installer on reboot, but when I deleted that, it was back after the next reboot. Next, I tried to boot into safe mode, and that's when my computer went completely dead. It wouldn't boot at all. Even booting from the operating system CD didn't work.

As it turns out, this malware went really deep. Not only did it infect Windows, but it also inserted itself into Safe Mode. Usually, we can boot into Safe Mode to run a virus scan, but not this time. In fact, I discovered that the malware actually got into my system BIOS. That's right, it went so deep it actually got into my hardware. Even a BIOS upgrade didn't get rid of it.

In the end, I had to disconnect my CMOS battery for a day to clear the BIOS, completely reinstall Windows and restore from backup. Unfortunately, during my initial restore attempts, the system crashed in the middle of the restore process, which corrupted my backups. I lost my two most recent backups that way, so now I'm running on a six-month-old version. So there was collateral damage.

I'm not the only one with this problem. A few days after I got infected, my kids' computer also got hit with a variant called "XP Security Center." And the same day my infection happened, my company's desktop services manager got a version called "Windows Defender" on his work computer.

I hope you take this as a warning. Nobody is safe anymore from malware, now that it's being professionally and competently developed. Make sure your backups are current, and spread the word to unsuspecting users that any unexpected "Security Scans" require immediate response.

View: Original Article

[Ambrocious]

I worked on a friends computer a while back and here is an image of the fake antivirus software that installed on his computer:

This isn't a screen shot from his computer but it is the same infection.

This son of a biatch was harder then hell to get rid of! First thing I did was use HijackThis! and delete it's start up but this did not stop it. I figured it spoofed the actual windows xp security center but later I found out something fascinating; my friend had Microsoft Security Essentials which the virus easily got around and integrated it's self into the security center it's self! So when I started it in safe mode, it was still there because it tricked the computer into thinking that it was a crucial system file which allowed it to run even in safe mode! Here is the list of everything I used to get rid of the SOB:

MalwareBytes Antimalware

Avast! Antivirus

SUPERAntiSpyware

The Cleaner

HijackThis!

HitMan Pro

Unlocker

The fake antivirus inserted a piece of code into the security center that told the security center to startup EVERY TIME the computer restarted, safe mode or not. This triggered the secondary code which allowed the malware to run even in safe mode, passing as if it was part of the crucial OS. A file known as ghq.exe was the culprit to blame in this case. I used Unlocker to delete the ghq.exe which I had to enable the viewing of supposed important hidden windows files just to see it. Anyone dealing with a fake AV usually trusts the likes of mainstream AV's. I use Avast! Free (yes it's mainstream but I haven't had any major problems so far) and for being a free antivirus, it does a damned good job.

P.S. Please consider adding "The Cleaner" to nsanedown's security section, it's the one that actually helped to really squash this bug however it wasn't the only one to get the job done. It took MANY restart's and many attempts to kill it completely but I finally got it killed. No clue if it worked it's way into the BIOS but if it did...it hasn't re-emerged yet. Lets hope it's gone.

[DKT27]

Wonder if Microsoft Malicious Software Removal Tool can remove FakeAV. :think:

[toyo]

I think it's programmed to remove specific infections, so yeah, if Microsoft considers one of these fake AVs virulent enough, it might be included in their periodical Removal Tool.

[Ambrocious]

Whats really weird about this fake AV is that I haven't seen this one a whole lot considering (from what I can tell) it first emerged sometime in 2005 and since then has been getting "smarter" with it's polymorphism.

[karachidude]

bloody hell :fear:

I discovered that the malware actually got into my system BIOS. That's right, it went so deep it actually got into my hardware. Even a BIOS upgrade didn't get rid of it.

but seriously,can anyone believe this :mellow:

[toyo]

I discovered that the malware actually got into my system BIOS. That's right, it went so deep it actually got into my hardware. Even a BIOS upgrade didn't get rid of it.

but seriously,can anyone believe this :mellow:

Ahhhah I didn't read this entirely... oh boy, that's mighty stupid.

[karachidude]

haha :lol:

[Ambrocious]

Is it possible for the BIOS to be affected? No sings of infection have creeped back onto my friends computer and so I'm thinking that if that were true, it would have resurfaced by now.

[DKT27]

Yea the writer of the article seems nuts or misinformed by saying that it effects BIOS. Though there have been instances where virus or similar malware had touched the BIOS, I doubt that it can do anything with BIOS these days.

Also note guys, a reference link to a article on wikipedia states that this FakeAV spreads from filesharing sites, can be a trick to keep away from filesharing, and I don't think anyone needs to worry about safe sources, but make sure you be away from downloading anything that seems suspicious.

[Ambrocious]

My friend got it the good old fashioned way...porn sites.

[ande]

Can you believe it? As I sat down this morning to write this column, I got hit by a drive-by download of FakeAV.

... Whole article quoted ...

I hope you take this as a warning. Nobody is safe anymore from malware, now that it's being professionally and competently developed. Make sure your backups are current, and spread the word to unsuspecting users that any unexpected "Security Scans" require immediate response.

View: Original Article

Hello i advise u if u know what are u doing scan system with Comodo Cleaning Essentials (there are nice tut) it is created for that kinda troubles

its portable, it update automatic and i think till now that "FakeAV" is in Comodo database so

other than that try MBAM/SAS/Hitman PRO and Emsisoft Emergency Kit !

(disable System Restore, CHECK is MBR record clean....)

btw i noticed Zemana (for the firs time ) blocked some "for me unknown" threat when i was watching/streaming some movies...

[toyo]

6enii, this is a news article, The NewsMan is a bot :)

If you want to advise the original author, track it down by following the "Original article" link.

[myidisbb]

frankly not buying it. bio should been passworded. as for those fake scan pop ups. close them. then in case scan. never been effected like this writer wrote. you do get them from using google one searchings. anytime there breaking news on somthing or somebody you have to be careful. fine example looking for bin liden photos first week.

[ande]

oh... didn't notice nvm,

well i just wanted to share my experience becouse, on my old machine i tested some security/removal tools/suites (over 100 zero-day threats and alot of nasty viruses) and i was surprised with CCE it actually remove most of malware/spyware's , other i mentioned did good job but...CCE was perfect... so combining all them i manage to install KIS(Kaspersky might not be 1st in malware detection but in malware removal it is No.1) and gain control over my system!

:D

[DKT27]

Something struck me about BIOS, I dunno how modern day BIOS security works. But my Asus BIOS has an option to allow only Asus softwares or also allow third party softwares to update the BIOS. And as you know, BIOS flashing can be done via Windows. It can be that FakeAV did flash the BIOS by modifying it, again, seems unlikely, but not impossible.

Couple of seemingly security experts did note that new variants are powerful enough to touch the safe mode and BIOS, this wasn't the case when it was out in the wild 5-6 years ago.

[ande]

Something struck me about BIOS, I dunno how modern day BIOS security works. But my Asus BIOS has an option to allow only Asus softwares or also allow third party softwares to update the BIOS. And as you know, BIOS flashing can be done via Windows. It can be that FakeAV did flash the BIOS by modifying it, again, seems unlikely, but not impossible.

Couple of seemingly security experts did note that new variants are powerful enough to touch the safe mode and BIOS, this wasn't the case when it was out in the wild 5-6 years ago.

if u are interested then this link might be useful

http://www.coresecurity.com/files/attachments/Persistent_BIOS_Infection_CanSecWest09.pdf

[DKT27]

if u are interested then this link might be useful

http://www.coresecurity.com/files/attachments/Persistent_BIOS_Infection_CanSecWest09.pdf

Thanks. Means it is possible. :)

[toyo]

If you don't activate virus protection in BIOS, if you leave the jumper that allows writing BIOS on the mobo, another virus could obtain admin control and then dump the BIOS, rewrite a part of it, compensate and reflash. I'm still sceptical of it occurring in the wild, although you could code something for testing purposes as in laboratory work.

[HX1]

I remember helping a couple of people on dA earlier this year that were hit by ransomware... There infection took the MFT or the MBR ( I think it was the MBR ) and wrote in the message that they saw on Boot which basically stated 'Your system is infected, go to this site..http... to pay for help or w/e.. ' and after which point they were given a passcode ...The passcode would 'idealy' unlock the system.. Did not always work however..and I think the guys at Kapersky were the first ones to crack it.. One of these people were in Germany where two computer techs had taken her for a ride.. by stating her files were lost.. twice this had happened to her.. and the last time was her husbands system..

Now the infection itself stated that all of the files had been encrypted and could not be accessed... The infection itself had hit three different stages... The first two could be undone with a passcode.. the third had not at that point.. The truth about the infection itself was that nothing had been encrypted.. at all.. What it actually did was write information to the MFT or MBR and once the message and accompany parts were removed from the drive files or replaced/restored.. The system would run again as it should...

I would have to look back at the details.. but very scary moments for some people.. and complete crap.. I am glad I have not run into being infected by it.. I have been hit with drive by Java downloads before but ESS grabbed it.... and that was by going from here to Download.Hr and clicking a link which took me to the download page for software, where I was hit by the package..which has been sometime ago... I did however send the address of the file.. a nice little 'personal' message.. of sorts..

I wasn't happy that morning...

[DKT27]

Never did it myself, but how much time should it take to actually encrypt all the files on a HDD?

[toyo]

Never did it myself, but how much time should it take to actually encrypt all the files on a HDD?

Depends on content/size/CPU type/speed obviously, but can last from a few hours to a day or more. However, it also impacts the performance of disk operations. I understand that if you have a AES enabled CPU everything becomes much more accessible and speedy.

[HX1]

Well to actually encrypt files on a system or your entire HD .. quite sometime.. and CPU Resources.. For instance to wrap my system in military grade encryption, create a back up boot disc for the prompt ( JIC ).. around 2-4 hours on a good system.. (I forget sometimes that systems sometimes come with 500GB file-systems and half of you have them full of large files ...LOL .. I have a small 60 GB HD which stays less than half full no media on the drive so basically just programs and OS with some stuff that has been customized.. ) ..using PGP Desktop.. and I know that one works..... LOL.. But yeah you would definitely know if your files were being encrypted.. and if in the background even longer much longer..

Not for sure about Bit Locker or TruCrypt .. individual files are quite speedy.. but not for sure about the same type on thing that I am talking about.. PGP even encrypts the empty area of the HD..

This infection however shows no signs of anything.. and happens after one to two reboots... the files can actually still be accessed by using a boot disc.. and some of the programs you can find on Hiren's.. so definitely no encryption.. but is stated as such...

EDIT: .. and yes what toyo said..

[ck_kent]

In fact, I discovered that the malware actually got into my system BIOS. That's right, it went so deep it actually got into my hardware. Even a BIOS upgrade didn't get rid of it. In the end, I had to disconnect my CMOS battery for a day to clear the BIOS, completely reinstall Windows and restore from backup.

I'm a bit skeptical here. Correct me if I'm wrong, but shouldn't the BIOS update should have had erased the old firmware first and replaced it with the new one? And he said this did not work? And disconnecting the CMOS battery cleared the BIOS? The fact that taking out the CMOS battery is not even enough to remove a forgotten BIOS password? :unsure:

[Ambrocious]

frankly not buying it. bio should been passworded. as for those fake scan pop ups. close them. then in case scan. never been effected like this writer wrote. you do get them from using google one searchings. anytime there breaking news on somthing or somebody you have to be careful. fine example looking for bin liden photos first week.

Not sure if you're aware that sometimes upon closing a fake AV, it opens a new window. The best idea is to move it to the side continuously. Many times a virus will tell you that the security program that you are using is infected (or has encountered an error) and to those not understanding, they will follow the suggested advice and close it down; move any such notices to the side of the screen and continue all scans.

Once I was searching Google and on the search page it's self, without even clicking a page, my Avast warned me of a specific link as if it was trying to infect my PC. I did not click any links, I was simply on the search result page. I can tell you from experience that it CAN happen, but that is the ONLY time it has happened to me.