War Of The Rogues

Analysis by: Derek Manky of Fortinet's FortiGuard Global Security Research Team

Rogue security applications have been around for some time, but recently we have seen a marked increase in activity. In the August 2008 edition of our malware roundup, we highlighted the top two pieces of malware for the period: both linked to rogue security applications. Collectively, these two rogue security applications dominated the threat landscape from late July through the end of August, 2008. Malware installing "AntiVirus XP 2008" eclipsed a single-day activity milestone we have not seen since February 2007 when the infamous Storm (Tibs) botnet emerged. Figures 1a/b below show activity for the two applications. This activity has been grouped for all variants of malicious code installing the aforementioned rogues. As you can see, sharp spikes of activity for both rogues tower over Netsky, which was the most active malware family for this period and has been used as a benchmark in these illustrations:

Figure 1a: Rogue security applications XP Security Center and AntiVirus XP 2008 benchmarked to Netsky

Figure 1b: XP Security Center in focus, benchmarked to Netsky

Malware variants installing the applications XP Security Center and AntiVirus XP collectively accounted for 15.0 percent and 17.9 percent, in respective order, of total malware volume for the period stretching late July to end of August, 2008. According to Site Analytics from Compete, as of writing this report, the main domain associated with "XP Security Center" showed a monthly increase of unique site visitors from 27,405 in May to 132,438 in June 2008. Following this, unique activity increased to 239,775 in July 2008: an 81 percent increase from June. This sharp rise in growth clearly shows the effectiveness of their campaigns which will be outlined below. These fraudulent security applications try to scare a user into thinking their machine is plagued with all types of malware putting any information, especially private information, at serious risk. Of course the pitch also offers to sell the user the solution to problems found, which may or may not actually exist. If the machine is infected with malware, these applications do not help. In trying to protect themselves, the user gives the bad guys the keys to the farm. Of course, the end result winds up as most scams do: the bad guys walking away with credit card information and reaping profits, while the victims are left in the dust. Compete's July figures of 239,775 unique visitors applies to just one of ten domains registered to the same server hosting XP Security Center web content. Most of these unique visitors have arrived at the site through the aforementioned scare tactics, and are therefore more likely to purchase due to psychological commitment. Assuming a conservative rate of 10 percent of these visitors purchased the software at the base price of $49.95 USD, a monthly revenue of approximately $1.2 million USD can be deduced.

It should be kept in mind that while the main focus of such rogue security applications revolves around this business model, many of them are trojans that communicate remotely and may download malicious code that further heightens this issue. Scareware, fake alerts, call it what you like; the reality here is that this is becoming very big, very fast. There are many players becoming involved in this area. In last May's malware roundup, we wrote about Adware/Vapsup which did precisely this. We will now focus on the two main players that showed heavy activity throughout the period indicated in Figures 1a/b above: XP Security Center and AntiVirus XP 2008. Both of these fake security products profit through the same tactics, with XP Security Center focusing on AntiSpyware and Firewall security, while AntiVirus XP 2008 acts as an AntiVirus product. We will compare similarities and differences between these two, and explore some pieces of malware behind them.

First off, we will look at some ways that this rogue security application is making its way around. Then, we will look at the application itself and how it works. Various mass mail campaigns have been launched, using varying approaches. In one case an email would arrive in an end-users inbox purporting to be from the United Parcel Service (UPS). We detect this as HTML/Agent.HFZ. The first social engineering trick here is nothing new, yet still remains effective: leveraging a trusted, high profile name. The email goes on to claim that the user had sent a package which could not be delivered. As a result, they should print off a verification invoice and pick up the package themselves. Naturally, this is an effective social engineering trick as it intrigues curiosity and presents the idea of the user receiving an item of some value without having to shell out any cash up front (as the notorious 419 scam requires). Figure 2 below shows the email described:

Figure 2: HTML/Agent.HFZ with malicious W32/Agent.HFZ!tr attachment

The attachment in the email arrives as a ZIP archive, containing an application. The tracking number in the subject header appears to be dynamic, whereas the postfix of the attachment (978172 in this case) does not. The second part to the social engineering scheme here is quite simple. The attached application contains an icon the same as a Word document. So, an educated user who is afraid to open attached applications may be fooled by this thinking that it is in fact a Word document. The reality is that the application is a launch pad to a trojan downloader and rootkit. Figure 3 below shows the attached malware, with a deceiving icon displayed to the user:

Figure 3: The attachment as it appears to an end user

Other campaigns used for XP Security Center included the same parcel trickery with FedEX, airline E-ticket attachments, and PayPal transaction documents. The observed PayPal transaction document e-mails were in German, and can be seen below in Figure 4:

Figure 4: W32/Agent.HJG!tr disguised as attached German PayPal transaction documents

Another campaign used yet another trick. This one was even more convincing, giving login credentials which was related to the targets e-mail. The email claimed that a significant amount of money had been charged to the users credit card, and that the invoice was attached. Of course, this invoice was none other than another malicious variant of XP Security Center and its associated components. Figure 5 below shows this email:

Figure 5: Another social engineering trick, this time using airline tickets

As you can see, the campaigns are very similar: they all entice the user to open important documents, and disguise the attached application with an icon of popular non-executable document files. Since this has occurred recently, users should be aware of such an attack in the near future. Always examine the extension of an attachment and do not rely on visuals. Any unsolicited emails should be ignored, or at the very least heavily scrutinized.

It should be noted that in this study, many variants of malicious code were observed to be linked to XP Security Center using the same trick. In Figure 3, the application is disguised as a word document, but other icons were observed including MS Excel, Adobe PDF, Windows Media, and a letter envelope similar to that of MS Outlook Express. The fact that such enticing email campaigns are being distributed in different regions, and localized (Figure 4 above) indicates the global, aggressive seeding nature for this application.

Now, let's have a more in-depth look at what happens if you actually run one of these applications. Once an attachment contained in these emails is run, the file "ntos.exe" is dropped and added to the registry to start on reboot. This is the spawning point for the rootkit, and executed on system reboot. Once the rootkit is active, it works by hooking into the System Service Descriptor Table, at index 0xAD. This is the NTQuerySystemInformation call. The rootkit itself is located in the "System32/drivers" folder under the name "Beep.SYS". Figure 6 shows this:

Figure 6: The rootkit hooked into the SSDT

Part of the rootkit's job is to thwart detection and removal attempts. Tools such as Sysinternals' autoruns show modified registry entries, commonly changed to launch malicious code on Windows startup. This rootkit will kill any process running with the name "autoruns.exe", as well as other popular tools such as Hijack This. Figure 7 below shows a list of such applications embedded (and not encrypted) inside the kernel driver:

Figure 7: Processes monitored and stomped on by the rootkit to avoid detection and removal

Once the rootkit has been dropped, the system will automatically reboot without any warning. This should immediately raise a red flag to users, prompting them to cease network activity and investigate further. After the system has been rebooted, the malware will contact a remote server to download further components. The remote server is given some parameters through HTTP, and the server will respond with an HTTP 302 response code, which is typical for redirections. The return code contains what looks like an MD5 hash, referring the malware to another server. This second server is in fact a domain belonging to XP Security Center, and is where the main payload (installer) is downloaded. A file is dropped as part of the installation process (typically ran as "buritos.exe" or "braviax.exe" in the System32 folder). This file is also added to the registry to be executed once the system restarts. Figure 8 below shows the download process highlighted in red, while Figure 9 below shows this executable in action, posing as an application in the taskbar:

Figure 8: Downloading the XP Security Center payload, key sequences highlighted in red

Figure 9: XP Security Center generating fake alerts

Clicking on the taskbar icon will show a progress bar, claiming to be "extracting" the application. In fact, this is a front so that a dynamic, up-to-date fake application with definitions may be downloaded. This is where part of the sophistication for XP Security Center 2008 lies.

The "extraction" process contacts the second server (XP Security Center affiliated domain) and downloads three files, all compressed ZIP archives in the name of BinariesX.zip where X ranges 1-3. The first archive contains "XPSecurityCenter.exe", the main application GUI. The second archive contains various DLL components required to run the application, along with a Browser Helper Object (BHO). This BHO performs in the same way as the one used with Adware/Vapsup, mentioned in our May 2008 malware report: it blocks the user prompting them to click on a link to protect themselves or otherwise surf unprotected. Finally, the third archive contains a virus definition database. After inspection, it is revealed that the downloaded virus definition database is actually an up-to-date copy of the widely popular ClamAV product. They most likely chose this because it is open source, thus the database format may be easily read from a third party. This is clever, observed Fortinet security researcher Derek Manky, as it allows the black hats to maintain fake alerts using up-to-date and real world threats.

The components are then installed as a system program under "XP Security Center". The program is then launched, and presents a real-time scan to the user. Once the scan is complete, a user can double click on any threat for detailed information. This looks very intricate, and further adds to the sophistication of such a fake product. Figure 10 below shows the result of a "scan":

Figure 10: The aftermath of a XP Security Center rogue scan

Once these fake alerts are generated, all removal and registration links bring the user to XP Security Center's website where they can purchase the "solution". Figure 11 below shows this site. The product purchase currently costs $49.95 and comes with other bogus add-ons such as live support:

Figure 11: The main index to XP Security Center, prompting the user to buy

This is the third and final step to the process. First, lure (see the social engineering tactic in Figure 2). Next, scare (Fake alerts shown in Figures 9/10). Finally, cash in (Figure 11's purpose). Additional to the professional display, solid grammar (uncommon for malware today), and clever technique using an open source database to provide real-time "scares", this rogue security application becomes even more sophisticated thanks the rootkit that is used.

Let's now look in detail at the second rogue application in question, and how it behaves. There are many similarities between AntiVirus XP 2008 and XP Security Center. The most noticeable is the GUI design. The theme is centered around AntiVirus, but the fake scans look much the same. A virus definition file is downloaded as well for this fake product. However, this definition file arrives in an encrypted zip archive that the program itself extracts. When first launched, an executable "LOADER.XXXXXX.exe" is dropped and executed, where X consists of a series of random characters. Unlike XP Security Center, a rootkit is not dropped and the system is not rebooted. The loader executable will contact a remote server, and eventually download the main payload. This is the installer, and is executed automatically. Once executed, a disclaimer (in which the user can only agree) is displayed as seen in Figure 12 below:

Figure 12: A one-sided disclaimer

Once this button is clicked, the application is installed and added to the registry to startup on reboot. It is then launched, and a taskbar icon very similar to XP Security Center appears, generating fake alerts. The program is installed under "Program Files" using a garbled name, along with the encrypted virus definitions. It should be mentioned that a Browser Helper Object (BHO) is also installed with this application, much the same as XP Security Center. Again, the behaviour of this BHO is the same as in Adware/Vapsup, discussed in our May 2008 malware roundup. The only difference is that the links presented by the BHO take you to the affiliated product installed. This shows how code is easily recycled, and can be sold between malicious developers and various criminal organizations. Once installed, a very similar taskbar icon is used with an alert message, as seen in Figure 13 below:

Figure 13: AntiVirus XP 2008 sits in the taskbar

Unlike XP Security Center, there is no "extraction" process. Clicking on the icon directly brings you to the main GUI of the rogue security application. This GUI appears very similar to XP Security Center. When prompted for removal, or if a user clicks on remove viruses, a demo mode notice window appears. Figure 14 below shows the main GUI, along with the demo mode notice window in Figure 15:

Figure 14: Fake viruses found by AntiVirus XP 2008

Figure 15: The demo mode notice, a further scare tactic

As if this isn't enough, the desktop wallpaper is also hijacked to display a large fake alert as shown in Figure 16 below:

Figure 16: The desktop wallpaper is hijacked with this image

Clicking on either of the links shown in Figure 14 (to remove/get realtime protection) or Figure 15 (switch to the full mode) brings the user to the AntiVirus XP 2008 web page to buy their "solution". Figure 17 below shows this web page:

Figure 17: AntiVirus XP 2008 for sale at a high price

Now that we have explored the look of the applications and the function of their associated malware, how is AntiVirus XP 2008 making its way around? This rogue security application is currently being used in another campaign, using a different approach. This campaign starts through an email with a link to a server hosting an SWF (Flash) file, offering the user a free update to XP or Vista. The initial email is shown in Figure 18 below:

Figure 18: AntiVirus XP 2008 spam campaign

When following the link to the SWF file, the user will be redirected to another server where the AntiVirus XP 2008 installer previously discussed is downloaded. Figure 19 shows the Flash redirect and subsequent download:

Figure 19: The AntiVirus XP 2008 installation payload

The tactics between these two applications remain the same: scare the user, offer the solution, and reap the profits. The increasing prevalence and aggressive nature of the seeding campaigns for these two rogue security products clearly indicate a rising trend in a new area of scams. The move the black hats have made in the arms race is simple: masquerade as the white hats. Users should be aware of this type of scam, and only install trusted threat mitigation solutions. If an unsolicited pop up occurs when a user has not installed such a solution, claiming that a system is infected, a red flag should be raised.

While the tactics and revenue process remain the same, the seeding campaigns differ. As seen in Figure 1, AntiVirus XP 2008 took a much more aggressive approach on a single day. It is also currently known to have affiliated websites serving drive-by downloads, leveraging exploits to install their "product" on end-users machines without interaction. XP Security Center leveraged trusted, high profile names, and executables posing as important documents. This may be more effective since the tactic is aimed at a broad audience: both individual end users and corporations / employees.

XP Security Center 2008 seems to be the more sophisticated of the two: an efficient social engineering tactic, more elegant GUI/website and integrated components such as the rootkit discussed. On the other hand, Antivirus 2008 XP currently seems to be a bit more aggressive through activity and other means, such as hijacking the desktop wallpaper. Both of the products use different payment services for credit card transactions, and different servers. AntiVirus XP 2008 currently has a higher price point at $59.95. For these reasons, it may be suggested that different organizations are behind these rogue security applications. Is this a copy cat war between the two? Will there be attempts to remove other rogue security applications that may be stealing their market share?

With all of this in mind, there are several things that are clear. Both of these, as well as other rogue security applications, will not be going away any time soon due to the fact that they have been added as a new tool for the black hats in today's threat landscape. We can expect increased activity, as heavy volume was indicated towards the end of this report period. Regardless of the tactics and differences between these two, the people behind this are making money. Lots of money. Not only does this pose a threat from a fraud standpoint, these are trojans which have the capability to remotely download pieces of malware. Anything can happen, at any time.

To prevent against these attacks, users should be aware of them. A layered security approach is recommended to help block threats through all vectors: anti-spam, anti-virus, intrusion detection, and web filtering. All software, especially browser and operating systems, should be up to date with the latest patches. If an infection is suspected, the machine in question should be quarantined from network activity until the issue is investigated and resolved if necessary.

Solutions

Customers who use Fortinet’s FortiGuard Subscription Services should already be protected against the threats outlined in this report. Threat activity is compiled by Fortinet's FortiGuard Global Security Research Team using data gathered from its intelligence systems and FortiGate™ multi-threat security appliances in production worldwide. FortiGuard Subscription Services offer comprehensive security solutions including antivirus, intrusion prevention, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by the FortiGuard Global Security Research Team, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products.

Disclaimer:

Although Fortinet has attempted to provide accurate information in these materials, Fortinet assumes no legal responsibility for the accuracy or completeness of the information. More specific information is available on request from Fortinet. Please note that Fortinet's product information does not constitute or contain any guarantee, warranty or legally binding representation, unless expressly identified as such in a duly signed writing.

About Fortinet ( www.fortinet.com ):

Fortinet is the pioneer and leading provider of ASIC-accelerated unified threat management, or UTM, security systems, which are used by enterprises and service providers to increase their security while reducing total operating costs. Fortinet solutions were built from the ground up to integrate multiple levels of security protection--including firewall, antivirus, intrusion prevention, VPN, spyware prevention and anti-spam -- designed to help customers protect against network and content level threats. Leveraging a custom ASIC and unified interface, Fortinet solutions offer advanced security functionality that scales from remote office to chassis-based solutions with integrated management and reporting. Fortinet solutions have won multiple awards around the world and are the only security products that are certified in six programs by ICSA Labs: (Firewall, Antivirus, IPSec, SSL, Network IPS, and Anti-Spyware). Fortinet is privately held and based in Sunnyvale, California.