How AntiVirus Pro 2010 finds “malware”
“AntiVirus Pro 2010″ is one of the most infamous Fake Antivirus malware.
Usually it manages to penetrate into a user’s computer via a small downloader. Once installed, it will attempt to download further components associated with this malware. After a few minutes, it starts to display warnings about “Privacy alert! - Your system was found to be infected with intercepting programs…”
It displays a main window and offers to provide “the scan now” option and when activated, it detects non-existent malware. These non-existent malware can range from scripts to rootkits.
Let’s look quickly at what exactly it could find. Usually, it reports about 10-20 different malware files in the Windows System folder. We now open one of these detected files and find out what they actually are.
; "zekel.dll": 0000: 00 00 00 02 00 00 01 04 01 04 00 06 06 01 0B 03 0010: 04 0A 08 0B 01 14 0C 01 10 01 13 02 11 1C 04 04 0020: 0F 1D 20 04 15 10 20 0D 1B 20 1F 09 17 24 00 19 0030: 2B 10 02 22 1C 17 13 1F 1A 23 17 13 14 2D 21 2C 0040: 0F 35 0C 19 2E 15 30 30 44 01 0C 13 37 1B 19 2F ... 00F0: CF AC 00 15 09 E2 6D AF D6 B7 17 AC 9F F9 C1 28 0100: AD E8 A3 6C 03 3C 90 40 01 87 D0 AD 92 2F 63 0C 0110: C4 A6 9A D4 B2 E9 6B 27 E9 05 E6 6B 43 5D C2 72 0120: 84 8C D9 A4 FB 98 17 EC 09 13 27 6B 75 14 D0 3A 0130: 25 05 26 53 78 BA 05 07 2A 12 DB 2F 15 61 E2 41 ... 3940: 1E 53 D9 F2 EA 74 95 1B F8 1C 02 10 23 EE 84 BF 3950: F3 BD F7 95 37 ; EndOfFile
Despite it’s somewhat wacky name the file “zekel.dll” is not a DLL (Dynamic Link Library) at all. It is a mostly junk file filled with random bytes.
At the first glance it is possible to notice some regularities in these “malicious” files. For example, all files have nulls as their first and second bytes. The new few bytes - for example at offsets 0x02..0x0F seem quite small (always less than 0x0F). What about the next few bytes? - they also appear to be “limited” - for example, the bytes at offsets 0x10..0x1F are never more than 0x1F, but at the same time they look quite random.
If we scrutinize these bytes from the start of file, we can derive some approximate formula (C-notation):
for (int FilePos=0; FilePos<FileSize; FilePos++)
{
unsigned char b= rand()%FilePos;
write(h,&b,1);
}
We check this assumption by analysis of the real code implementation of “AntiVirus 2010.” We need to intercept the moment when it starts to open and write to these files and decide it is “malware”.
; Inside the "AntiVirus Pro 2010" - algorithm of "fake malware" generation
From the code, it appears that I was correct about how these fake detected files are created. :-)
As a final note, there were no checksums or datastamps… only random junk inside the fake threats of “AntiVirus Pro 2010″.
Posted on October 26th, 2009 by VladimirZubkoFiled under: General
Windows 7 security - A great leap forward or business as usual?
