eWeek Security Watch
Advertisement
Advertisement
September 21, 2009 5:37 PM

New Fake AV Threats on the Prowl



Security researchers with software maker Sophos are following the trail of some new variations on the time-honored theme of phony AV programs that seek to infect end users' devices.

First off, Sophos experts noted in a recent blog post that they've uncovered a new malicious adware scanner that attempts to carry out JavaScript drive-by attacks on the people sucked into visiting its distribution sites, and to load a Trojan onto their computers.

Like many variants before it, the "AntiAdware Online Scanner" displays phony results on affected machines and then tries to convince users to download additional security software programs to clean up their devices. Those who fall for the ploy are instead hit with a Trojan dubbed Troj.FakeAV-ABD, the experts reported.

The involved Web site is also able to change its interface and the language it appears in depending on visitors' IP addresses.

While in most ways the fake scanner employs many similar elements of previous phony AV programs, its' combination of techniques marks it as a new variation on the theme, such as in the dynamic manner it presents itself, Sophos researchers noted.

In another research note, Sophos researchers highlighted their discovery of another fake AV Trojan that also attempts to download a packet sniffer "Troj/Sniffer-R" onto affected users' devices. The sniffer is designed to steal users' login credentials to allow them to break into FTP systems.

In carrying out its efforts, the Trojan initially sets up a socket to receive all incoming and outgoing packets and sits in a loop, waiting for packets with a source or destination port of 21, the FTP control port number, Sophos said.

The sniffer can then capture the host name, user name and password for any outgoing FTP connections, and even checks to ensure that the username and password combinations it finds are valid by parsing incoming traffic for the login success status code, Sophos research Mike Wood reported in a blog post.

Only the credentials which work properly are then reported on to a remote server which is connected to to a domain associated with rogue security software.

The attack highlights the manner that phony security program threats continue to evolve, Wood observed.

"The pushers of Fake AV are constantly on the run, and stolen FTP credentials are just one of the tactics used by this wily group of miscreants," Wood said. "The authors are registering new domains and shifting existing domains to new IP ranges on a daily basis, frequently changing the location where their scareware is hosted thereby avoiding network blacklists for a short time."

The involved attackers are also "stuffing" their Web pages with bogus keywords on hot topics to lure search-engine users.

"As highlighted by the malicious advertisements streamed via the NYTimes, there is much to be gained from the exposure on legitimate sites," Wood said. "First off, the malware author achieves both the new hosting location and search engine traffic by leeching off the existing reputation and user-base of the legitimate site."

"Secondly, not only is the entire user-base of the Web site exposed to any embedded malicious links, the users are likely less skeptical while browsing a site they already trust and perhaps more vulnerable to fall victim to the phony scareware warnings."

The expert also noted that stolen FTP credentials are being used to subvert larger numbers of sites, as in the Gumblar SQL injection campaign.

The activity makes it all that much more important that site admins keep their servers patched and secured up to date.

All of this just serves as more reason only to trust security providers whom you know.

Follow eWeek Security Watch on Twitter at: eWeekSecWatch.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.

Posted by Matthew Hines on September 21, 2009 5:37 PM

| Comments (2) | del.icio.us | digg.com | Trackback | Post a Comment
TrackBack

TrackBack

http://securitywatch.eweek.com/cgi-bin/mte/mt-tb.cgi/17922

Comments (2)

Carl Barrows :

Be VERY wary of Antivirus System PRO from "Magic Software", Inc. When I had the misfortune of going to an infected site, the fake AV plugin software installed itself and started creating havoc on my laptop by opening up all kinds of security windows and taking over IE 8.0. The above URL is the default site that the fake AV set IE to for the new homepage to purchase the "activated" software to block the windows. The fake AV claimed to find trojan horses on my system but actually installed a trojan.fake.AV trojan virus. This is by far the nastiest trojan I've been infected by. And it's very hard to get rid of, even with three different real AV and anti-spyware programs on the system!

Posted by Carl Barrows | November 20, 2009 9:21 PM

Dave Bruce :

After recently installing Win7 on my PC as an optional boot along with my exiting XPPro install, I got Zapped by this Trojan.FakeAV virus on the Win 7 side of my system.
My Norton Internet Security 2010 detected it and removed it approximately 20 times by now. It is still residing on the PC and I can't get rid if it. It has been redirecting me to various sites, plays music and advertisements in the background with IE (I use Firefox and Chrome). I'm looking for fixes from various tech sites as I search this out. I'm am having to use my Win XP side of my PC to do this. I repair PC's and have removed many of these types of Trojans and Hijackers from my customer's PCs. Now that i am infected, I discover that THIS one is a very nasty one and anyone that gets this is in for a challenge.

Posted by Dave Bruce | November 25, 2009 12:18 PM

Post a Comment

 
 
RSS Syndication

Security News

Advertisement

TLD regulation

Adware

Android

Apple

Applications Whitelisting

AV tools

Backdoor

BlackBerry

Blacklisting

Blended attack

Botnet CnCs

Botnets

Browsers

CAG

China

Cisco

click fraud

Cloud computing

Conficker

Corporate espionage

Cyber-war

Data Breach

Data Security

Data securityAdd category

Database security

DDoS

Disaster Planning

domain registration abuse

e-banking fraud

eBay

Enterprise security strategy

Ethical hacking

Exploits and Attacks

Facebook

File-sharing

Flaws

Google

Government standards

Hactivism

ID theft

Identity fraud

Identity Theft

iframe

Illegal pharmacies

Industry events

Infrastructure security

Internet regulation

Intrusion Detection/Prevention

iPhone

ISPs

Java

MAAWG

Malware

Malware toolkits

Mergers and Acquisitions

Messaging security

Microsoft

Microsoft Windows

Mobile malware

multimedia

NIST

Online malware

Open Source

Oracle

Patches

Phishing and Fraud

PowerPoint

Privacy

Product Reviews

Products

Regulation

Risk Management

Rogue AV

Rootkits

RSA Security Conference

Russia

SaaS

SCADA

Search

SEO

SEO poisoning

Smartphone security

Social engineering

Social networking

Spam

SQL injection

Trojan attacks

Twitter

video games

Virus and Spyware

Vulnerability Research

Web 2.0

Windows 7

YouTube

Advertisement
Security Watch     Contact Us | Advertise | Site Map
eWEEK Quick LInks

Security:
Enterprise Security
Network Security
Infrastructure Security
How To: Data
IT Security News
Cheap Hack Blog
Security Watch Blog
Storage:
Data Storage
Cloud Storage
Storage Virtualization
Network Access Storage
Storage Reviews
Data Storage News
How To: Storage
Storage Station Blog
Computing:
Apple OSX
Linux Systems
Windows Vista
Managed Print Services
Cloud Computing
PC Reviews
Microsoft Watch Blog
Apple Watch Blog
Google Watch Blog
Communications:
VoIP Solutions
Wireless Technology
Messaging Software
Web Services
Mobile Applications
Wireless News
Mobile Reviews
Apps & Development:
Application Development
SAAS
Search Engines
Database Software
Web 2.0
IT Project Management
Emerging Tech Blog
CIO Insight Blogs
CIOs

Vertical Markets:
Federal Government IT
Health Care IT
Finance IT
Mid-Market
Channel Partners
Careers Blog
Value Added Resellers
More eWeek Links:
Tech Knowledge Center
Tech Newsletters
Tech RSS Feeds
White Papers
Tech Podcasts
Tech Videos
Green IT
eWeek Magazine Subscriptions
Enterprise Websites:
ZDE Home
Baseline
Channel Insider
CIO Insight
eSeminars
eWeek Mid-Market
Publish Online
Web Buyers Guide
Developer Websites:
Dev Shed
DeveloperShed
ASP Free
MS DevSource
SEO Chat
Codewalkers
Tutorialized
Scripts.com
Dev Mechanic
Dev Articles
Web Hosters
Dev Hardware
Technology Websites:
Device Forge
Desktop Linux
Linux Devices
Windows for Devices
iGrep Search Engine
PDF Zone
Linux Watch

Use of this site is governed by our Terms of Use and Privacy Policy
Copyright ©1996-2008 Ziff Davis Enterprise Holdings Inc. All Rights Reserved. eWEEK and Spencer F. Katt, and eWeek Security Watch are trademarks of Ziff Davis Enterprise Holdings, Inc. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Enterprise Inc. is prohibited.
eWeek is your best source for the latest Technology News.
Hosted by Hostway.

Ziff Davis Enterprise