Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 1 subscriber
  • Views 1795 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

FakeAV spreading like wildfire

MawfTech

Hi,

Anyone else noticed that the Mal/FakeAV variants are really going hammer and tong at the moment? I think I've cleaned up about 15 or so in the last week, all new variations on the same thing. One client caught the virus while browsing the Orange.co.uk home page in it seems these are exploiting vulnerabilities in the Java engine as far as I can tell. There are a few basic versions of this but for the most part, these change the wallpaper to a blue background displaying WARNING! You are in danger; your computer is infected with Spyware. After this, a popup window appears seemingly scanning and finding many viruses on your machine called 'System Tool'. Eventually if you follow the somewhat broken english, you're persuaded to hand over payment to clean up the infection.

The above is relatively easy to find and cleanup, the virus seems to deposit a randomly named folder with executable in the c:\documents and settings\all users\application data folder on XP/2000 and c:\users\xxx\appdata\local for vista and 7 (have seem various other locations but these are the most common). Easy enough to search for exe files modified around the time the infection was first noticed (minus a day). The exe can simply be renamed in a dos prompt and then the machine rebooted, Sophos springs back into life, can then be updated to the latest protection and a scan can then be run which almost always detects and alows it to be cleaned up.

Problem is though that on a few systems I've seen the FakeAV variant introduce a new version of TDSS onto systems and it bolts itself directly into the MBR of the machine and we all know just how good the TDSS system is at hiding itself away. Neither the Sophos AV or rootkit scanner were able to find the Troj/TDLMBR-B variant found on a machine infected by the Mal/FakeAV-IU virus until I physically removed the HD from an infected machine and scanned it externally after seeing suspicious web redirections following a successful cleanup of the FakeAV variant. This trojan sits in the master boot record and randomly redirects websites, terminates AV products (mostly unsuccessfully) but very successfully hides itself.

The only cure I've found so far is to rebuild the MBR (with a vista/7 repair or recovery console, fixmbr on XP/2000) or the TDSS killer from rivals Kaspersky seems to work very well too.

Why can't Sophos create a tool like Kaspersky to deal with rootkits properly or a decent bootable standalone package that can actually cleanup rootkits or MBR infections?

Matt

:10167


This thread was automatically locked due to age.
  • 0

    Hello Matt,

    as rootkit removal tools can be harmful (and also are frequently updated) Sophos does not provide a "public link". Support will send you the link (which you shouldn't "reuse") and might also send you additional instructions and/or ask you to submit samples if possible. 

    You probably have already sent some samples - it's a good idea to poke around in the usual locations and collect whatever looks fishy, especially if you observe variations.

    Christian

    :10169
  • 0

    Hi Christian,

    Yes, many samples submitted and all variations of the FakeAV I've seen are now on the protected list. It's the TDSS variants these introduce when Sophos is down that are extremely difficult to find and deal with. I ran a full scan on a system today using both SAV and the very latest SAR package and neither reported any failures (ok, SAR reported a few hidden internet cache files - not unusual). I've a request in for the standalone installer (which runs on a bootable Linux variant) so I can double check a few clients machines I've dealt with recently.

    The real issue here is why are other vendors able to spot these MBR infections running on an infected machine and Sophos isn't. It can detect it if I scan the HD on another machine i.e. physically remove the disk and scan via USB cable etc. In this instance, I simply used the Kaspersky TDSS killer tool they freely provide on their website. It found the MBR infection and just dealt with it in one easy move on the infected machine. I'd like that sort of capability from Sophos - even just the ability to actually spot the virus would be a useful start.

    Matt

    :10173
  • 0

    The real issue here is why are other vendors able to spot these MBR infections

    I see what you mean - a coworker's machine reported a TDL3mem-B and appeared clean after SAV32CLI and rootkit scans but the second disk couldn't be accessed. The custom tool found and got rid of the threat but as you say - the "regular" product didn't.

    Christian   

    :10179
  • 0

    Almost....

    The machine still ran ok and booted fine but the infection was spotted when I got suspicious about a web redirection I observed. I scanned the HD remotely via a USB cable and Sophos (EPS) spotted the MBR infection TDL3mem-B on the disk. Reimplanting the HD back into the machine and checking it with SAR and Sav32CLI -MBR (and EPS) all reported the disk as clean. TDSSKiller run on that machine found the infection and offered to clean it, click the button and reboot, virus gone. Detach disk again and scan via USB cable with EPS again, disk clean.

    Just cleaned up another FakeAV variant, FaveAV-CSA this time. Yet another variant. Now running a scan on the removed HD on that machine to double check for a TDSS variant on that now.

    Matt

    :10183
  • 0

    I would be concerned that if you are seeing a large breakout of these in one area, that it could spell an underlying issue such as a botnet connection; especially if you don't think they are being caused by the pop-up variety. Lately FakeAV has been increasingly applied on botnet victim hosts.

    You could try checking for alternate data streams (ADS) being used on some of the affected PC's, and also run some detailed netstats to check any unusual traffic. ADS are practically impossible to defend against if you are in a Windows environment. A quick way to check is to use a free tool like this http://www.heysoft.de/en/software/lads.php .

    :10185
  • 0

    Hi Azurus?

    No, not botnets, checked that, nothing showing on any abnormal ports and I did a capture with ethereal on a machine to see exactly what data was going out and could see the websites being queried by fakeav but nothing else unusual. These seem to be coming in on banner adds in web pages. Hotmail has been hit several times and I actually watched an attack born on a banner add on the orange.co.uk home page. These seem to be exploiting holes in the java engine and I watched java pop up with an error just prior to the FakeAV-CTJ attack.

    In each case after cleansing, I've made sure windows update has been run to patch all likely holes and updated Java as a matter of course to pick up the very latest version however, we already know of 3 or 4 holes not yet fixed in that so it's probably those being hit.

    Matt

    :10187
  • 0

    Good to know. Are your users clicking on banner ads, or merely visiting the site in question? We had some issues earlier in the year with some FakeAV's here and there, but nothing lately.

    You said you patched the java versions on the hosts. Are you referring to the latest (Feb.) Oracle critical update patch with version 6 update 24 included? Also there is an unfixed zero-day for IE8 still floating (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0346)

    I use this sometimes when I think our browsers have holes. https://browsercheck.qualys.com/ . It has been helpful to me in the past.

    :10191
  • 0

    I had to remove one of these from one of my laptop users yesterday. Anti-Malware Bytes seems to have cleaned it off the machine.  Would be nice to have these detected before they install to a users machine.

    :10193
  • 0

    Hi,

    Yes, these are just visit hits, no clicking on the add. As I said, I watched one kick off from the orange.co.uk home page by just visting it.

    Yes, it's update 24 that's applied to the java engine. Really is full of holes and about tim they patched it more quickly. I guess the best common platform I've found so far is that all these are with IE v.8 and MS have just released a patch for this yesterday/today which seems plausible thatit could be what was being exploited to trigger the Java exploit. I hope it is the fix!

    I can say for sure that at the time of attack, Sophos did not detect the virus as I've moved the FakeAV folder to the root of the after finding it. Sophos scan doesn't see it. Update Sophos and it then detects it. So these are always new exploits not detected at the point of attack by EPS 9.5 - even by HIPS.

    I'll look at the browsercheck site but I'm dubious of this kind of tool that requires adding and add-on to run a check. Quick VM sandbox test should give me some insight into exactly what it's testing though.

    Matt

    :10195
  • 0

    Yes, if the malware is using an exploit and referencing the API, then there may be no way that Sophos could detect it based on HIPS behavior (it will look like normal activity).

    We are patching IE8 today as well. Hopefully it is the fix.

    :10197