Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 1 subscriber
  • Views 2770 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Fake-AV Malware infections

TRLSecurity

Hi Everyone,

I thought I would write about some Fake-AV infections we have suffered over the last few days, and how I dealt with it in case it is of use to others on the forum.  I also wondered if anyone else was also being affected by these.

Each of the computers was found to be infected with a Fake-AV called XP AntiSpyware 2011.  At this point, Sophos had not issued any alerts.  We retrieve the computers back for analysis and found that we could no longer run applications, and received a dialog to "choose which application you wish to use".  As we had a number of other emergencies to deal with, we shut down the computers and left them. 

The following day, 5th April, starting up the computers, we found Sophos was absent from the system tray and checking via the Enterprise Console, we found that Sophos had issued two alerts on each computer:

Mal/FakeAV-IS                 D:\Documents and Settings\All Users\Application Data\fPf05200mHhAi05200\fPf05200mHhAi05200.exe Blocked

Troj/FakeAV-DDN               D:\Documents and Settings\auser\Local Settings\Application Data\mvc.exe                 Blocked

We cleaned the infection using Sophos via the Enterprise Console, but after a reboot, the infection appeared to have gone but I was still unable to run any applications, so I decided a manual cleanup might help.  In order to run regedit, we needed to Start -> Run -> cmd.exe.  At this point, a dialog appeared asking which application is required to run this , so I navigated to C:\Windows\System32\cmd.exe and this finally allowed the Command Prompt to run. 

The registry had the following changes to prevent applications from properly running:

[HKEY_CURRENT_USER\Software\Classes\exefile]
@="Application"
"Content Type"="application/x-msdownload"

[HKEY_CURRENT_USER\Software\Classes\exefile\DefaultIcon]
@="%1"

[HKEY_CURRENT_USER\Software\Classes\exefile\shell]

[HKEY_CURRENT_USER\Software\Classes\exefile\shell\open]

[HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command]
@="\"D:\\Documents and Settings\\auser\\Local Settings\\Application Data\\cfx.exe\" -a \"%1\" %*"
"IsolatedCommand"="\"%1\" %*"

[HKEY_CURRENT_USER\Software\Classes\exefile\shell\runas]

[HKEY_CURRENT_USER\Software\Classes\exefile\shell\runas\command]
@="\"%1\" %*"
"IsolatedCommand"="\"%1\" %*"

I deleted the entire key.  After this was done, I was able to run Malwarebytes Anti-Malware which proceeded to remove other elements of the the malware, as well as other modified registry entries.

Is there any way Sophos can be improved such that it will prevent these sort of infections?  Time and again, I tend to see Sophos being defenseless against these Fake-AV attacks, and often seems to completely lose the fight and become crippled by the Fake-AV.  We are using Tamper Protection, which I had hoped might help with this, but apparantly not.

I am also puzzled by how these infections are taking place.  I have examined the firewall logs around the time of these infections and the sites visited appear to be non-malicious, often adverts within access to sites such as Facebook and Flickr, and then I see malicious sites being accessed.  The users do not report having visited sites that are risky, and this is borne out by the firewall logs.

Thoughts on all this would be most welcome, as I am very keen to try and stop these infections from occurring in the first place, rather than having to rely upon Sophos to protect the computer, which is the last line of defence.  I use a Checkpoint firewall on the perimeter, with IPS and Anti-Virus activated, and I have an ISA 2006 firewall between DMZ and internal network, but all these appear ineffective in stopping these infections.

Best Regards,
Steve

:11717


This thread was automatically locked due to age.
Parents
  • 0

    Hello Steve,

    thanks for sharing this.

    Thoughts on all this would be most welcome, as I am very keen to try and stop these infections from occurring in the first place

    From the "encounters" (every few weeks or so, the last one 6 weeks ago) I'd say that it's not users visiting "risky" sites. Access to the malware usually involves several redirections - sometimes the first "offending" link is inserted into one or more pages on the site, sometimes it's in one of the ads (or similar stuff), sometimes it's a "poisoned" link from a search engine. You can read up more details at nakedsecurity

    Unfortunately neither IFRAMES, obfuscated scripts, reloads and redirections are per se an indication of malicious intent. All of this is used for "legitimate" purposes, be it to "enhance user experience", "protect intellectual property" or to "protect business interests" (i.e. make sure that ads are actually displayed). And as it's also possible to store the final payload at (hundreds of) thousands of sites which often host mostly innocent you can't identify a block the source (especially not in advance). Whatever your perimeter defences are they need to be as dynamic as the threats. 

    Without specific indicators neither the browser, nor the OS nor a scanner can easily and reliably discern this malware from more or less good-natured applications. Make xyz my home page? - Quite common. Make this program run at start-up? Open these documents with? And (almost) no registry key is sacrosanct. The more generic your approach (like going just on the name of a process, or the name of the window it opens) the more likely you'll get false positives. In most cases Sophos detected at least one component as suspicious and while that didn't completely fend off infection it prevented (together with the user only having "User" rights) the stuff from digging deep. As I've said before - once specific IDEs were issued the infection could be cleaned up from SEC.

    Without patching the OS no process can completely defend against privilege escalations - correct me if I'm wrong. From a certain point on any step you take is just fuelling the arms race. And don't forget - as long as it's "quiet" people tend to question the importance and sense of "wasting" resources on security and complain about "bad performance".

    As Placebo says there's a lot of measures you could take - but for some the decision to implement them probably has to be made at a higher level.   

    Hope this helped a little

    Christian

    :11789
Reply
  • 0

    Hello Steve,

    thanks for sharing this.

    Thoughts on all this would be most welcome, as I am very keen to try and stop these infections from occurring in the first place

    From the "encounters" (every few weeks or so, the last one 6 weeks ago) I'd say that it's not users visiting "risky" sites. Access to the malware usually involves several redirections - sometimes the first "offending" link is inserted into one or more pages on the site, sometimes it's in one of the ads (or similar stuff), sometimes it's a "poisoned" link from a search engine. You can read up more details at nakedsecurity

    Unfortunately neither IFRAMES, obfuscated scripts, reloads and redirections are per se an indication of malicious intent. All of this is used for "legitimate" purposes, be it to "enhance user experience", "protect intellectual property" or to "protect business interests" (i.e. make sure that ads are actually displayed). And as it's also possible to store the final payload at (hundreds of) thousands of sites which often host mostly innocent you can't identify a block the source (especially not in advance). Whatever your perimeter defences are they need to be as dynamic as the threats. 

    Without specific indicators neither the browser, nor the OS nor a scanner can easily and reliably discern this malware from more or less good-natured applications. Make xyz my home page? - Quite common. Make this program run at start-up? Open these documents with? And (almost) no registry key is sacrosanct. The more generic your approach (like going just on the name of a process, or the name of the window it opens) the more likely you'll get false positives. In most cases Sophos detected at least one component as suspicious and while that didn't completely fend off infection it prevented (together with the user only having "User" rights) the stuff from digging deep. As I've said before - once specific IDEs were issued the infection could be cleaned up from SEC.

    Without patching the OS no process can completely defend against privilege escalations - correct me if I'm wrong. From a certain point on any step you take is just fuelling the arms race. And don't forget - as long as it's "quiet" people tend to question the importance and sense of "wasting" resources on security and complain about "bad performance".

    As Placebo says there's a lot of measures you could take - but for some the decision to implement them probably has to be made at a higher level.   

    Hope this helped a little

    Christian

    :11789
Children
No Data
Unfiltered HTML