Hi Everyone,
I thought I would write about some Fake-AV infections we have suffered over the last few days, and how I dealt with it in case it is of use to others on the forum. I also wondered if anyone else was also being affected by these.
Each of the computers was found to be infected with a Fake-AV called XP AntiSpyware 2011. At this point, Sophos had not issued any alerts. We retrieve the computers back for analysis and found that we could no longer run applications, and received a dialog to "choose which application you wish to use". As we had a number of other emergencies to deal with, we shut down the computers and left them.
The following day, 5th April, starting up the computers, we found Sophos was absent from the system tray and checking via the Enterprise Console, we found that Sophos had issued two alerts on each computer:
Mal/FakeAV-IS D:\Documents and Settings\All Users\Application Data\fPf05200mHhAi05200\fPf05200mHhAi05200.exe Blocked
Troj/FakeAV-DDN D:\Documents and Settings\auser\Local Settings\Application Data\mvc.exe Blocked
We cleaned the infection using Sophos via the Enterprise Console, but after a reboot, the infection appeared to have gone but I was still unable to run any applications, so I decided a manual cleanup might help. In order to run regedit, we needed to Start -> Run -> cmd.exe. At this point, a dialog appeared asking which application is required to run this , so I navigated to C:\Windows\System32\cmd.exe and this finally allowed the Command Prompt to run.
The registry had the following changes to prevent applications from properly running:
[HKEY_CURRENT_USER\Software\Classes\exefile]
@="Application"
"Content Type"="application/x-msdownload"
[HKEY_CURRENT_USER\Software\Classes\exefile\DefaultIcon]
@="%1"
[HKEY_CURRENT_USER\Software\Classes\exefile\shell]
[HKEY_CURRENT_USER\Software\Classes\exefile\shell\open]
[HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command]
@="\"D:\\Documents and Settings\\auser\\Local Settings\\Application Data\\cfx.exe\" -a \"%1\" %*"
"IsolatedCommand"="\"%1\" %*"
[HKEY_CURRENT_USER\Software\Classes\exefile\shell\runas]
[HKEY_CURRENT_USER\Software\Classes\exefile\shell\runas\command]
@="\"%1\" %*"
"IsolatedCommand"="\"%1\" %*"
I deleted the entire key. After this was done, I was able to run Malwarebytes Anti-Malware which proceeded to remove other elements of the the malware, as well as other modified registry entries.
Is there any way Sophos can be improved such that it will prevent these sort of infections? Time and again, I tend to see Sophos being defenseless against these Fake-AV attacks, and often seems to completely lose the fight and become crippled by the Fake-AV. We are using Tamper Protection, which I had hoped might help with this, but apparantly not.
I am also puzzled by how these infections are taking place. I have examined the firewall logs around the time of these infections and the sites visited appear to be non-malicious, often adverts within access to sites such as Facebook and Flickr, and then I see malicious sites being accessed. The users do not report having visited sites that are risky, and this is borne out by the firewall logs.
Thoughts on all this would be most welcome, as I am very keen to try and stop these infections from occurring in the first place, rather than having to rely upon Sophos to protect the computer, which is the last line of defence. I use a Checkpoint firewall on the perimeter, with IPS and Anti-Virus activated, and I have an ISA 2006 firewall between DMZ and internal network, but all these appear ineffective in stopping these infections.
Best Regards,
Steve
This thread was automatically locked due to age.
