Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 1 subscriber
  • Views 2771 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Fake-AV Malware infections

TRLSecurity

Hi Everyone,

I thought I would write about some Fake-AV infections we have suffered over the last few days, and how I dealt with it in case it is of use to others on the forum.  I also wondered if anyone else was also being affected by these.

Each of the computers was found to be infected with a Fake-AV called XP AntiSpyware 2011.  At this point, Sophos had not issued any alerts.  We retrieve the computers back for analysis and found that we could no longer run applications, and received a dialog to "choose which application you wish to use".  As we had a number of other emergencies to deal with, we shut down the computers and left them. 

The following day, 5th April, starting up the computers, we found Sophos was absent from the system tray and checking via the Enterprise Console, we found that Sophos had issued two alerts on each computer:

Mal/FakeAV-IS                 D:\Documents and Settings\All Users\Application Data\fPf05200mHhAi05200\fPf05200mHhAi05200.exe Blocked

Troj/FakeAV-DDN               D:\Documents and Settings\auser\Local Settings\Application Data\mvc.exe                 Blocked

We cleaned the infection using Sophos via the Enterprise Console, but after a reboot, the infection appeared to have gone but I was still unable to run any applications, so I decided a manual cleanup might help.  In order to run regedit, we needed to Start -> Run -> cmd.exe.  At this point, a dialog appeared asking which application is required to run this , so I navigated to C:\Windows\System32\cmd.exe and this finally allowed the Command Prompt to run. 

The registry had the following changes to prevent applications from properly running:

[HKEY_CURRENT_USER\Software\Classes\exefile]
@="Application"
"Content Type"="application/x-msdownload"

[HKEY_CURRENT_USER\Software\Classes\exefile\DefaultIcon]
@="%1"

[HKEY_CURRENT_USER\Software\Classes\exefile\shell]

[HKEY_CURRENT_USER\Software\Classes\exefile\shell\open]

[HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command]
@="\"D:\\Documents and Settings\\auser\\Local Settings\\Application Data\\cfx.exe\" -a \"%1\" %*"
"IsolatedCommand"="\"%1\" %*"

[HKEY_CURRENT_USER\Software\Classes\exefile\shell\runas]

[HKEY_CURRENT_USER\Software\Classes\exefile\shell\runas\command]
@="\"%1\" %*"
"IsolatedCommand"="\"%1\" %*"

I deleted the entire key.  After this was done, I was able to run Malwarebytes Anti-Malware which proceeded to remove other elements of the the malware, as well as other modified registry entries.

Is there any way Sophos can be improved such that it will prevent these sort of infections?  Time and again, I tend to see Sophos being defenseless against these Fake-AV attacks, and often seems to completely lose the fight and become crippled by the Fake-AV.  We are using Tamper Protection, which I had hoped might help with this, but apparantly not.

I am also puzzled by how these infections are taking place.  I have examined the firewall logs around the time of these infections and the sites visited appear to be non-malicious, often adverts within access to sites such as Facebook and Flickr, and then I see malicious sites being accessed.  The users do not report having visited sites that are risky, and this is borne out by the firewall logs.

Thoughts on all this would be most welcome, as I am very keen to try and stop these infections from occurring in the first place, rather than having to rely upon Sophos to protect the computer, which is the last line of defence.  I use a Checkpoint firewall on the perimeter, with IPS and Anti-Virus activated, and I have an ISA 2006 firewall between DMZ and internal network, but all these appear ineffective in stopping these infections.

Best Regards,
Steve

:11717


This thread was automatically locked due to age.
Parents
  • 0

    Hello TRL,

    Like QC mentioned, some of the behavior that causes infections is also used with legit behavior. I too have championed this same issue in this post regarding issues like these, and the approach of the Tamper Protection feature.

    /search?q= 10045

     In your case it sounds like it did not prevent the malware from "tampering", which was one of my points in my posts on that thread. Security these days it headed towards a layered approach. There are so many avenues of attack, and thousands of signature based attack variants are being produced daily. Sophos, and any other virus detection suite will not be able to catch them all.

    One thing that I am always concerned about is malware like the Zeus botnet, which has been reported on millions of systems in which most variants go undetected by AV. A common tactic is to push out Fake AV malware to the bots and then perform priveledge escalation / rootkit attacks. Be very vigilant to this type of activity and do not assume that you are NOT affected. Some of the most secure companies have been affected by this type of malware. Check for hidden data streams, suspicious traffic, ports listening, etc. to make sure this isn't the case if you can't find a clear reason or sites where this malware could be coming from.

    Preventing all attacks like this will be an uphill battle and something that is a continuous process, rather than a "set it and forget it" thing. This is what I would recommend:

    • Layered approach. It's often said that even if you installed 3 different brands of AV on a machine, that it still wouldn't be able to detect over a third of viruses in existence. Take a look at application whitelisting solutions that can lock down kernel processes and memory space and run them along side Sophos which can detect suspicious behavior. Make sure to set good HIPS behavioral policies within Sophos to give you warning signs even when a detection signature may not be present. Sophos can only detect what it knows about, so running a solution like this is best practice.
    • Consider using a Web Gateway Proxy device, which can pro-actively scan links which lead to malicious content and downloads based on behavior and signatures. A web content filter helps tremendously if it's also a proxy that can do on-the-fly analysis. Make sure that Sophos Web Intellegence is set to block malicious sites as well, and is sending the data back to Sophos.
    • Consider locking down and hardening your web browsers. Microsoft just realeased this Tuesday a fix for a Zero-day in IE that has been active for months. Lock down the zones, active X, cookie security, and force TLS and make sure that ANY plugins dealing with Adobe Reader, or applets are kept up to date.
    :11987
Reply
  • 0

    Hello TRL,

    Like QC mentioned, some of the behavior that causes infections is also used with legit behavior. I too have championed this same issue in this post regarding issues like these, and the approach of the Tamper Protection feature.

    /search?q= 10045

     In your case it sounds like it did not prevent the malware from "tampering", which was one of my points in my posts on that thread. Security these days it headed towards a layered approach. There are so many avenues of attack, and thousands of signature based attack variants are being produced daily. Sophos, and any other virus detection suite will not be able to catch them all.

    One thing that I am always concerned about is malware like the Zeus botnet, which has been reported on millions of systems in which most variants go undetected by AV. A common tactic is to push out Fake AV malware to the bots and then perform priveledge escalation / rootkit attacks. Be very vigilant to this type of activity and do not assume that you are NOT affected. Some of the most secure companies have been affected by this type of malware. Check for hidden data streams, suspicious traffic, ports listening, etc. to make sure this isn't the case if you can't find a clear reason or sites where this malware could be coming from.

    Preventing all attacks like this will be an uphill battle and something that is a continuous process, rather than a "set it and forget it" thing. This is what I would recommend:

    • Layered approach. It's often said that even if you installed 3 different brands of AV on a machine, that it still wouldn't be able to detect over a third of viruses in existence. Take a look at application whitelisting solutions that can lock down kernel processes and memory space and run them along side Sophos which can detect suspicious behavior. Make sure to set good HIPS behavioral policies within Sophos to give you warning signs even when a detection signature may not be present. Sophos can only detect what it knows about, so running a solution like this is best practice.
    • Consider using a Web Gateway Proxy device, which can pro-actively scan links which lead to malicious content and downloads based on behavior and signatures. A web content filter helps tremendously if it's also a proxy that can do on-the-fly analysis. Make sure that Sophos Web Intellegence is set to block malicious sites as well, and is sending the data back to Sophos.
    • Consider locking down and hardening your web browsers. Microsoft just realeased this Tuesday a fix for a Zero-day in IE that has been active for months. Lock down the zones, active X, cookie security, and force TLS and make sure that ANY plugins dealing with Adobe Reader, or applets are kept up to date.
    :11987
Children
No Data
Unfiltered HTML