Be aware of rogue security of Fake AVG software

We have noticed rogue antivirus software that pretends to be the AVG Anti-Virus 2011. As usually  social engineering is in use -  well known names (AVG, Microsoft Security Essentials)  and designs of trusted applications are present in order to increase credibility.

 

Read more

Fake System Tools Spread to Japan

Late last year, we talked about how fake system diagnostic tools were becoming the next step in the evolution of FAKEAV malware. These variants started to affect Japanese users as well.

 

Fake system diagnostic tools such as this variant named System Defragmenter were first discovered in October 2010. These tools very frequently change their names. At present, we are aware of at least 30 different names/aliases that these tools use. Cybercriminals may believe that changing their products’ names makes detecting and removing these much more difficult.

 

None of this should be taken to mean that conventional fake antivirus attacks have gone away, however. Last week, a very high-profile attack involving a rogue antivirus detected by Trend Micro as TROJ_FAKEAV.SMTV hit Twitter. Many users fell prey to this when they clicked links that used the goo.gl URL shortener to lead to this FAKEAV variant’s download.

 

Attacks involving fake diagnostic tools are similar to traditional FAKEAV attacks. A fake tool appears to function like a real system diagnosis tool though its supposed diagnostic functions never work. Once users’ PCs are infected by such a tool, these repeatedly displayed fake warnings saying that the system is suffering from hard disk problems.

 

Inexperienced users may worry and panic over these problems. They may end up paying for additional “tools” and giving cybercriminals their personal information such as email addresses and credit card numbers. Like FAKEAV, these fake diagnosis tools will cause many problems for users.

 

Infection Vectors

Fake diagnostic tools may arrive via several different infection vectors:

• Users visit malicious sites and manually download and install malicious files.
• Users visit malicious sites that are riddled with exploits, which silently install malicious files in the background.

 

The tactics cybercriminals use to distribute fake diagnostic tools are broadly similar to those used for FAKEAV malware. Cybercriminals may lead users to their own sites by using Black Hat Search Engine Optimization (SEO) poisoning or to compromised legitimate sites. Cases where these fake tools are installed without the users’ knowledge may lead them to think the fake tools are actually legitimate programs, allowing the attacks to succeed.

 

System Defragmenter is detected as TROJ_FAKEAL.GG. While the sites that distribute it are now inaccessible, similar attacks did not stop from being launched, albeit using constantly changing names and sites. Understanding how these attacks are conducted will help users avoid becoming their victims.

 

Its installer uses the same icon as Windows Update.

Fourteen minutes after the tool is installed, it displays a fake alert in the user’s notification area.

 

 

Here are some of the other names the fake diagnostic tools use:

• Check Disk
• Defragmenter
• Disk Doctor
• Disk Optimizer
• Disk Repair
• DiskOK
• EasyScan
• FastDisk
• GoodMemory
• Hard Drive Diagnostic
• HDDControl
• HDDDefragmenter
• HDDDiagnostic
• HDDFix
• HDDHelp
• HDDPlus
• HDDLow
• HDDRecovery
• HDDRepair
• HDDRescue
• HDDTools
• MemoryFixer
• MyDisk
• QuickDefrag
• Scan Disk
• Scanner
• Smart HDD
• Support Tool 2011
• System Degragmenter
• Ultra Defragger
• Win Defrag
• Win Defragmenter
• Win Scanner

 

Solutions and Workarounds

Trend Micro free tools can clean systems that have been affected by System Defragmenter. However, users have to first go around one of this malware’s behaviors—monitoring the execution of applications—so that some security tools like HijackThis as well as files in the C:\Windows and C:\Program Files folder will not run and instead display the following:

 

Users will have to terminate the malware process first. The procedure starts by determining the file name that malware used. To do this, follow these steps:

1. Right-click the shortcut (System Defragmenter) on the desktop and select Properties.
2. Check and note the file name, which is usually made up of random characters. In the following screenshot, the file name used was 1181500.exe.

After taking note of the file name, open Task Manager by pressing Ctrl+Alt+Delete and use it to terminate the fake tool’s process.

 

Using HijackThis, take note of any or all of the registry entries that the malware added. HijackThis can then remove these entries to stop the malware from running whenever the system starts. (The suspicious entries have been enclosed in a red box.)

 

 

 

Source: http://blog.trendmicro.com

Google ‘malware’ sponsored advert delivers fake anti-virus

“Be careful what you ask for – you might get it.”

 

That’s the thought running through my head today after I searched for the word “malware” on Google.

 

As you’ll see in the following short YouTube video I made, a sponsored link right at the top of the Google search results points to a fake anti-virus website posing as a legitimate security company:

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

 

If you download the fake anti-virus program promoted on the website you risk infection by malware identified by Sophos as Troj/FakeAV-AOV.

 

 

Read More…

 

Danger! Fake $50 iTunes certificate carries malware

 

 

Amid all the usual attacks posing as delivery notices from DHL and FedEx this morning, I spotted some malware that had been spammed out posing as an Apple iTunes certificate for $50.

 

The emails read as follows:

Subject: Thank you for buying iTunes Gift Certificate!
From: "iTunes Online Store" <software@itunes.com>
Attached file: iTunes_certificate_997.zip

Hello!

You have received an iTunes Gift Certificate in the amount of $50.00
You can find your certificate code in attachment below.

Then you need to open iTunes. Once you verify your account, $50.00 will be credited to your account, so you can start buying music, games, video right away.

iTunes Store.

 

Running the attached malware can infect Windows computers. Clearly the hackers are hoping that in your excitement about receiving a $50 iTunes gift certificate that you will throw caution to the wind and open the attachment.

 

Sophos detects the malware, contained inside a ZIP file, as Troj/BredoZp-AM andMal/FakeAV-BW.

 

 

By Graham Cluley, Sophos

 

Removal tool for Mal/FakeAV-BW, Generic FakeAlert!hr, Packed.Win32.Krap.an (winupdate.exe, exec.exe, ppal.exe, MSe5ad.exe) Malware

 

 

 

 

 

Read more

Scareware hackers exploit McAfee false positive problem

Hackers are exploiting a problem with McAfee’s anti-virus product that has caused hundreds of thousands of computers around the world to repeatedly reboot themselves.

 

The New York Times (and many other news outlets) have reportedon the problems businesses suffered after a detection update issued by McAfee yesterday caused its anti-virus product to mistakenly detect a harmless Windows file, svchost.exe, as “W32/Wecorl.a” and caused computers to become inoperable.

 

To its credit, McAfee is discussing the problem on its online community forum, has apologised, withdrawn the buggy update, and advised customers on how to manually fix the affected computers.

 

But what might be making McAfee’s job of getting reliable information about the false positive problem out to the masses that much harder is that malicious hackers are exploiting the situation.

 

By using blackhat SEO techniques, cybercriminals have managed to get poisoned webpages high in the search rankings if you hunt for information on the McAfee false positive.

If you click on a dangerous link like this then you risk the chance of your computer being hit by a fake anti-virus attack (also known as scareware) which may attempt to con you out of your credit card details or trick you into install malicious code onto your computer.

 

Sophos detects the malware proactively as Mal/FakeAV-BW.

 

The last thing you want to happen if you’re searching for advice on how to fix a problem with the other computers in your company.

 

And it’s not just McAfee’s false alarm problem that these hackers are exploiting. Looking a little deeper at the poisoned domains, allows us to view a cache of hundreds of other pages that this gang have created around a wide range of topics.

Be careful out there folks..

 

 

* Image source: peasap’s Flickr photostream (Creative Commons)

By Graham Cluley, Sophos

 

“Please attention!” fake DHL delivery emails contain malware

It’s another day, which means (almost inevitably) there’s another malicious email campaign carrying a fake anti-virus attack.

 

Once again the bad guys are packaging their attack in an email which claims to come from DHL Delivery Services.

 

A typical email, which has the subject line “Please attention!”, reads as follows:

Dear customer!

The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.

You may pickup the parcel at our post office personaly.

Please attention!
The shipping label is attached to this e-mail.
Print this label to get this package at our post office.

Please do not reply to this e-mail, it is an unmonitored mailbox!

Thank you,
DHL Delivery Services.

Attached to the email is a file called label.zip, which Sophos detects as Troj/FakeAV-BEG. Even though there is some peculiar wording (and spelling) in the email it’s possible that some unwary users might fall into the hacker’s trap, and open the malicious attachment.

 

We are seeing many reports of this attack in our global network of traps right now.

If you receive one of these emails, don’t open the attached file as you could be putting your computer at risk of infection and allowing hackers to compromised your PC.

 

By Graham Cluley, Sophos

 

Account notification email warning? Don’t follow the instructions

If you’re returning to an overflowing inbox after the Easter holiday weekend, make sure that you don’t fall for the latest scam being distributed widely by spammers.

 

Emails claiming that recipient’s accounts have been temporarily suspended are being seen around the world today, attempting to trick users into believing that their email account has been accessed by somebody else.

 

The spammed-out emails try to hoodwink users into running the attached file (Instructions.zip) which is, predictably, carrying a malicious payload.

Dear Customer,

This e-mail was send by example.com to notify you that we have temporanly prevented access to your account.

We have reasons to beleive that your account may have been accessed by someone else. Please run attached file and Follow instructions

(C) example.com

 

In an attempt to make the email more convincing, the attackers reference the domain name (for instance, example.com) used by the recipients’ email account in the emails they are spamming out.

 

Sophos detects the malicious attachment proactively as Mal/FakeAV-BT and Mal/BredoZp-B, but users of security products from other vendors would be wise to ensure that they are properly updated and protected.

 

The hackers are once again using a tried-and-trusted social engineering trick (in this case trying to fool you into believing that your account has been compromised) to lure you into the serious mistake of opening the attached file.

 

Wiser computer users should have learnt by now that you should always be extremely suspicious of unsolicited attachments.

 

 

By Graham Cluley, Sophos

 

Related Blogs

Removal tool for Mal/FakeAV-CO, Downloader-CEW (Vvavia.exe, Vdl.exe, Vdk.exe, Vdj.exe) Malware

Submited By Diego
 

 

 

 

Read more

Removal tool for Suspect-1B!E4800A5BF6F6, Mal/FakeAV-BW (ave.exe) Malware

 

 

 

 

 

Read more

Next Page »