Lately there has been a huge influx of misleading applications (a.k.a. rogue or fake antivirus applications) plaguing users. By traditional definition, these programs are rogue applications that parade as fake antivirus scanners and/or fake “system cleaners.” For a good briefing on this type of “scareware,” take a look at the description provided here.
Once installed, these applications attempt to scare the user into believing that his or her computer is infected with dozens or more threats. This is done using constant pop-ups, task bar notification icons, etc. These apps usually start off with a fake scan of the system and then proceed to report non-existent threats on the system. In some cases, this is done even before the user installs the application, by popping up an image that pretends to show that the user is infected. The goal here is to try to lure the user into buying the fake product, which promises to clean up all of those made-up threats.
If the user decides to buy the application, they are usually redirected to an order page. The cost for these products can be anything from $30 to $100. These order pages will also try to up-sell the user into buying more fake products, or even multi-year licenses.
This is a huge scam, but also a very successful one that relies on social engineering tricks and scare tactics in order to make a quick buck. The majority of the companies behind these applications seem to be associated with the Russian Business Network (RBN), which is an underground network involved in online criminal activities such as spam, phishing, and bots. So, how do the misleading applications get onto the system?
Trojans are an intermediary step for the misleading application. These Trojans, once installed, can add taskbar notifications and display fake ystem scan pop-ups and GUI windows. The aim here is to scare the user into believing his or her computer is infected with a bunch of threats.
The rogue applications then offer to clean up these fake threats and entice the user to purchase the misleading application, because it may seem that this is the quickest and cheapest method. Quite often the Trojan drops trial versions of the misleading application onto the victim’s system, which then constantly prompts the user to either buy the protection or otherwise remain infected.
All of these social engineering tactics are “marketing tools” used by the Trojan to attempt to trick the user into buying the misleading application. Now, let’s get back to how a user would get these Trojans onto their system in the first place.
Methods of distributing Trojans
Fake codec Web pages
One popular method is using adult-content websites that are modeled after popular and legitimate video-sharing sites. In this case, the fraudulent website will ask users to download and install video codec applications in order to view the videos. However, the video codec applications are actually Trojan executables—a simple ruse, but very effective. In many cases, infected blog comments, IM spam, and malicious text ads lead users to these fake codec websites. Shown below is a screenshot of one these fake codec sites, where the downloaded codec file is, in fact, Trojan.Zlob. We have observed that Trojan binaries such as these are updated very frequently.
Malicious peer-to-peer files
Another method of Trojan distribution is through malicious peer-to-peer (P2P) file sharing. In this case, malicious users bind Trojan executables to popular applications and upload them to file-sharing websites. They use some creativity in naming the files, using celebrities’ names or popular brand names in order to try to get users interested. There are tutorials available online in order to get “script kiddies” acquainted with the process of creating Trojanized” applications, how-to guides on publishing these applications to P2P sites, which sites to use, how to use proxy servers to provide the files, and how to prevent getting shutdown for misuse.
The online tutorial shown below gives a breakdown on how to distribute malicious executables using P2P file sharing. It breaks down the whole process into easy to understand steps, and also advises which P2P sites to use in order to avoid getting shut down. This goes to show how easy it is to start distributing malicious code and misleading applications.
Malicious code distributors have also started using text-based search engine ads to direct users to fake product download websites for brand name or technical-sounding applications. For example, if we perform a Web search for the keyword “directx,” one of the sponsored link points to a page cleverly pretending to be the download page for the official version of DirectX.
However, when a user visits that particular website, the fake DirectX application being offered is, in fact, a Trojan. In this case the malicious code author most likely bought the keyword “DirectX” from the ad network. The estimated daily price for the “DirectX” keyword is anything from $30 to $70. One can clearly see how malicious code authors are using legitimate ad networks to inject malicious ads, which are then used to propagate malicious code and misleading applications.
Browser exploits (drive by downloads) are another popular way to drop Trojans onto the victim’s system. No user interaction is necessary for the user to become infected in these cases. Recently we have seen a spike in exploits targeting third party applications such as Adobe Reader and Flash Player. These exploits crop up even on legitimate, large brand-name websites.
The bottom line is, the user could be on a legitimate site and yet unknowingly become infected with these Trojans. Some previous blogs talk a little more about these attacks:
• Nishant Doshi’s Web Protection 2.0
• John Harrison’s One Million Websites Compromised
Blogs are often infected with URL links pointing to pages that use social engineering tricks or browser-based exploitation techniques in order to infect a user’s machine. Attackers often use blog comment fields to post such links. Quite often, these comments have some catchy phrases to entice visitors to click on the link. These types of spam messages also affect social networking sites. There are tools available in the underground networks that automate the process of blog spamming.
These Trojans often come disguised as pirated software and software cracks, usually downloaded by users from “warez” sites.
A common problem across the globe, this has always been a huge vector for distributing Trojans.
I’m going to wrap up this discussion for today, but keep your eyes peeled for the second and third articles in this series. I’ll demonstrate the ways in which misleading applications continue to compromise systems—the articles will be posted on this blog over the next few days.