Threat Spotlight

Threat Name:

Users at Risk:

Windows users

Also Known As:

• Avira: HTML/FakeAlert
• McAfee: HTML/FakeAV
• Microsoft: Trojan:JS/FakeIA
• Symantec: Trojan.Fakeavalert

Further Reading:

• Graham Cluley's Blog: Malware authors jump on the PIFTS.EXE bandwagon
• SophosLabs Blog: Update on the New York Times malicious ad attack
• Graham Cluley's Blog: Facebook Fan Check virus scare leads to malware

Removal Instructions:

Please follow these instructions on how to remove generically detected files.

About:

Mal/FakeAvJs-A is a Trojan found on pages that display fake security scanning results and claim that there are threats on your computer. These pages also encourage you to download fake security software, known as FakeAV, from related websites. They will typically use repeated pop-ups and offer to download the software even if the user initially refuses. In some cases, the fake scanner may be automatically installed using browser vulnerabilities.

Users are directed to the fake scanning pages using social engineering techniques and search engine optimization, luring them with seemingly relevant search results. The static content of the fake scanning pages is normally done in HTML—JavaScript is normally responsible for dynamic content such as a scanning progress bars, displays of bogus threats and display popups.

The fake scanning software (installed as a result of visiting sites hosting Mal/FakeAvJs-A) is usually a member of the Troj/FaveAV family.

Threat Name:

Users at Risk:

Windows users

Also Known As:

• Kaspersky: Packed.Win32.Krap.ai
• McAfee: FakeAlert-SecurityTool
• Microsoft: Trojan:Win32/Winwebsec

Further Reading:

• SophosLabs Blog: Free FakeAV at Virus-Total (That’s not VirusTotal)
• SophosLabs Blog: MMX gives FakeAVs a new trick
• Graham Cluley's Blog: Facebook unnamed app: Hackers poison search results

Removal Instructions:

Please follow these instructions on how to remove generically detected files.

About:

Mal/FakeVirPk-A is a compression and obfuscation method used by a wide variety of malware including but not limited to families of fake anti-virus Trojans.

Recently, this particular fake anti-virus family spreads by using search engine optimization (SEO) techniques to poison topical search terms and even by typo-squatting on popular industry domain names.

The following behavior has been observed by some variants of Mal/FakeVirPk-A. The sample will copy itself to:

<User>\Application Data\<8 digit random number>\<same random number>.exe

And create the following two files:

<DESKTOP>\Security Tool.lnk
<STARTMENU>\Programs\Security Tool.lnk

A run key will be created that executes the exe on system startup, for example:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
98617132
<User>\Application Data\98617132\98617132.exe

Further registry entries may be also be created under:

HKLM\SOFTWARE\<random number>

The malware will also attempt to contact an IP address over HTTP, including certain information about the infected computer in the request, for example:

178.##.32.##/in.php?affid=93101%26url=5%26win=Windows%20XP+3.0%26sts=
93101|9|931|01|1|US|1|6|7|1|184|0

In addition to the detection provided for Mal/FakeVirPk-A, the proactive HIPS technology in Sophos Endpoint Security can detect the installation of Mal/FakeVirPk-A, using rule HIPS/RegMod-001.

Threat Name:

Users at Risk:

Windows users

Also Known As:

• Kaspersky: Trojan-Dropper.Win32.Agent.bqdn
• Avira: TR/Spy.ZBot.oiz
• McAfee: Bredolab.gen.c
• Microsoft: Trojan:Win32/Oficla.H!dll

Further Reading:

• SophosLabs Blog: Same old social engineering
• SophosLabs Blog: Google redirected malware - two months later
• Graham Cluley's Blog: We’ll always have Paris...

Removal Instructions:

Please use these instructions for removing generically detected files to delete the file from your computer.

About:

Mal/TibsPk-A is a malicious program that contains highly obfuscated code that has been encrypted and compressed. This program typically arrives in the form of a hoax email with an accompanying file attachment.

This program tends to:

• Harvest information
• Download code from the internet
• Open a backdoor allowing a remote intruder to gain access
• Sell fake anti-virus/security related products

This week, Mal/TibsPk-A arrived as an email attachment in a variety of ways. A typical email containing this malware can be one of the following formats:

Subject: Facebook Password Reset Confirmation! Customer Support.
Attached file: Facebook_password_<random characters>.zip

Subject: DHL Office. Please get your parcel
Attached file: DHL_Label_<random characters>.zip

Subject: Amazon Shop! Your order has been paid! Parcel NR.5014.
Attached file: Postal_label_&ltrandom characters>.zip

The messages within the email typically try to entice the user to open the malicious file attachment using a myriad of social engineering tricks. This includes claiming the user's password has been invalidated or that a parcel needs to be collected. In every single instance, the user is encouraged to open the file attachment.