The old dogs are still in learning mode

Norman Security Blog wrote a good article about Fake AVs and their new variants and how to protect ourselves, Credit to my friend, Pondus, for sharing this:


Fake antimalware has become a profitable industry for the cybercriminals. New variants appear on a daily basis, and new techniques for tricking the users are fine-tuned.

A few weeks ago we wrote in our security article – Cybercriminals focus on new targets – about fake antimalware for Apple’s Mac OS X operating system. In its security update 2011-003 for Mac OS X, available 31 May, Apple enhanced considerably its protection against malware. This includes the ability to automatically download new malware signatures, similar to the functionality found in standard antimalware tools. This signifies that Apple now regards its Mac OS X platform as a serious target for cybercriminals.

In one of our security articles last autumn, we showed that the cybercriminals had started to use a new technique. This included infecting web sites and presenting the visitors with a fake warning customized to the users’ browser. See the article Old dogs learn new tricks for more details.

Another variant

A while ago, another variant emerged. This one combines the traditional fake antimalware infection technique (displaying a fake malware scan showing infections) with the technique used in our abovementioned security article (customized web page).

So it is fair to say that this article’s title about the old dogs’ learning ability is relevant.

Here is one example of a fake scanning window displayed through Firefox:

Clicking the recommended Start Protection button will start installing the malicious software.

The real warning page from Mozilla’s Firefox looks like this:

As you can see, the warning from Mozilla does not have any option to install any type of protection software. This is the standard behavior for all browsers.

One might expect that another variant of fake warning window to appear at a later point in time. This could be identical to the real Firefox warning, except that both the available buttons start installation of malware. The reason why the cybercriminals have not introduced this variant yet is only speculative. Perhaps their achieved success with displaying fake scanning results has proven sufficiently successful?

One of the clever tricks that this social engineering technique uses, it that the web site (usually an infected site) that displays the message checks the browser visiting the site, and displays a warning message similar to the browser’s real warning.

Protection mechanisms

In order to protect yourself against this type of threats, you should not rely on specific rules. You should rather try to get into the correct mind-set. This will enable you to detect the attempts to use various social engineering techniques to trick you to perform actions that may harm you and your computer.

We repeat our recommendations from our article 10 September last year:

Ask yourself some control questions:
Is this the way the vendors of web browsers inform their users that security updates are available?
Generalization: Beware of unusual behavior!

Would big software vendors link to a third party web site for product downloads/purchases?
Generalization: If possible, check the URL in your browser! Does it comply with the web site the link suggested? 

Does anything seem strange? (Are there e.g. spelling mistakes or strange wordings, which may imply that professional software vendors are not involved?)
Generalization: Watch out for unprofessionalism!

Fake Trojan Removal Kit serves up ThinkPoint Rogue

You might want to steer clear of the following fake security program, being promoted as a “Windows Trojan Removal Kit” but actually hijacking your PC in the form of the ThinkPoint rogue with a mixed (24/43) detection rate.


The file is currently being offered up by your typical “fake security scan” pages, such as microsoftwindowssecurity152(dot)com. Those familiar with this particular rogue will be aware that it tends to stick with domains similar to the one above.


Installing the executable can potentially give you a bit of a headache, with what would appear to the average user to be fake “Blue Screens of Death” and payment nag screens. See here for details on how to get around the supposedly locked up desktop, and check here for some of the many variations on this theme.

Can you really see who viewed your Facebook profile? Rogue application spreads virally

facebook(low)SophosLab: Once again, a rogue application is spreading virally between Facebook users pretending to offer you a way of seeing who has viewed your profile.

As we’ve described a couple of times before, plenty of Facebook users would *love* to know who has been checking them out online.. but unfortunately scammers are aware of this, and use the lure of such functionality as a way to trick you into making bad decisions.

Messages spreading rapidly across the Facebook social network right now say:

OMG OMG OMG... I cant believe this actually works! Now you really can see who viewed your profile! on [LINK]


If you’re tempted to click on the link you’re taken to a webpage which encourages you to go a little deeper and permit an application to have access to your Facebook profile.



But do you really want complete strangers to be able to email you, access your personal data and even post messages to any Facebook pages you may administer?

If you’ve got this far then you really shouldn’t go any further. Scams like this have been used to earn commission for the mischief makers behind them, who have no qualms about using your Facebook profile to spread their spammy links even further.

Because if you do continue, you’ll find that your profile will be yet another victim of the viral scam – spreading the message to all of your online Facebook friends and family. And no, you don’t ever find out who has been viewing your profile.


Ever wondered how many people fall for a scam like this? Well, the figures can be shocking. This current campaign is using a variety of different links – but via we can see that at least one of them has already tricked nearly 60,000 people into clicking.


I’ve informed the security teams at both and Facebook about these links, and requested that they be shut down as soon as possible.

Always think before you add an unknown application on Facebook, and ask yourself if you’re really comfortable with ceding such power to complete strangers. Rogue application attacks like this, spreading virally, are becoming increasingly common – and do no good for anyone apart from the scammers behind them.

If you’ve been hit by a scam like this, remove references to it from your newsfeed, and revoke the right of rogue applications to access your profile via Account/ Privacy Settings/ Applications and Websites.

And don’t forget to warn your friends about scams like this and teach them not to trust every link that is placed in front of them. You can learn more about security threats by joining the thriving community on the Omid’s Blog! Facebook page.

Facebook Dislike button scam spreads virally

Have you seen a message like this on Facebook?


I just got the Dislike button, so now I can dislike all of your dumb posts lol!!

If so, don’t click on the link.

It’s the latest survey scam spreading virally across Facebook, using the tried-and-tested formula used in the past by other viral scams including “Justin Bieber trying to flirt”, “Student attacked his teacher and nearly killed him”, “the biggest and scariest snake” and the “world’s worst McDonald’s customer”.

We’ve also seen slightly different wording – but pointing to the same scam.


Falling for any of these scams (which promise some lurid or eye-popping or exclusive content) typically trick you into giving a rogue Facebook application permission to access your profile, posting spam messages from your account and asking you to complete an online survey.

And the same is true with this latest scam, which tempts you with the offer of a “dislike” button (as opposed to the normal “like” button) so you can express your opinions on other users’ posts, links and uploads.



If you do give the app permission to run, it silently updates your Facebook status to promote the link that tricked you in the first place, thus spreading the message virally to your Facebook friends and online contacts:


But you still haven’t at this point been given a “Dislike” Facebook button, and the rogue application requires you to complete an online survey (which makes money for the scammers) before ultimately pointing you to a Firefox browser add-on for a Facebook dislike button developed by FaceMod.

As far as we can tell, FaceMod aren’t connected with the scam – their browser add-on is simply being used as bait.

So, if you really want to try out FaceMod’s add-on (and note – we’re not endorsing it, and haven’t verified if it works or not), get it direct from the Firefox Add-ons webpage, not by giving a rogue application permission to access your Facebook profile.

If you’re on Facebook, and want to learn more about security threats on the social network and elsewhere on the internet, join the Omid Facebook page.

What’s in a (rogue) name? VirusTotal 2010

There is a well-respected and very useful site that everyone in the anti-virus industry uses – sometimes several times a day: Virus Total. You can upload suspicious files or their check sums to Virus Total to see if a file is malicious. The makers of a new rogue have picked up on the Virus Total name in an effort to make their malicious creation look like something legitimate:


What it tries to download is detected as FraudTool.Win32.FakeRean (fs).
Here’s what the real Virus Total site looks like. It basically runs your code sample or check sum against 41 anti-virus engines and displays the resulting detections.


We’ve entered the MD5 check sum of the VIPRE detection (above) and copied
here a portion of the Virus Total page (32 detections cut out) with the Sunbelt detection highlighted:


Google: 11,000 domains carrying rogue security products

Niels Provos of the Google Security Team has blogged about the rise of malicious web sites carrying rogue security products, which the Google team calls “Fake AV.” Google has been engaged in a constant battle against the sites because the operators who peddle them have been refining their techniques for poisoning Google search engine results in order to victimize Google users by drawing them to malicious download sites.

He wrote: “we conducted an in-depth analysis of the prevalence of Fake AV over the course of the last 13 months, and the research paper containing our findings, ‘The Nocebo Effect on the Web: An Analysis of Fake AV distribution’ is going to be presented at the Workshop on Large-Scale Exploits and Emergent Threats (LEET) in San Jose, CA on April 27th.”

He went on to say: “Our analysis of 240 million web pages over the 13 months of our study uncovered over 11,000 domains involved in Fake AV distribution — or, roughly 15% of the malware domains we detected on the web during that period.

Also, over the last year, the lifespan of domains distributing Fake AV attacks has decreased significantly.

Provos advises Web users not to purchase the rogues when they pop up their persistent, screaming warnings and instead, remove the malicious code from their machines.

“In the meantime, we recommend only running antivirus and antispyware products from trusted companies. Be sure to use the latest versions of this software, and if the scan detects any suspicious programs or applications, remove them immediately,” he said.

Google Online Security Blog piece here.

Arrests on the Rise

Lots of little newsworthy updates recently . . . they’ve been well-covered elsewhere, but we wanted to make sure our readers saw them as well.

Russia: Safe Haven no more?

One of the constant complaints that we hear is “the criminal is probably in Russia”, as an excuse for why a case is not worth investigating. Back on November 11, 2009, we posted a story The $9 Million World-wide Bank Robbery, where VIKTOR PLESHCHUK, 28, of St. Petersburg, Russia; SERGEI TŠURIKOV, 25, of Tallinn, Estonia; and OLEG COVELIN, 28, of Chişinău, Moldova were charged with leading the robbery, which actually occurred in 2008. This week the Financial Times has revealed that Viktor Pleshchuk was arrested by the FSB. Their story leads with:

Russia has quietly arrested several suspects in one of the world’s biggest cyberbank thefts, raising hopes of a previously unseen level of official co-operation in a country that has been a haven for criminals.

Other sources, for instance Bank Info Security News have confirmed that Sergei and Oleg were also arrested by the FSB at the same time.

Your Federal Friends on Facebook?

Pasquale Manfredi isn’t exactly a nice guy. The authorities have wanted to arrest him for some time because of his naughty habits such as assassinating his enemies by shooting a bazooka at their car. The Daily Mail says that he also maintained a Facebook account under the name “Georgie”, with Al Pacino’s “ScarFace” as his Profile picture. According to The Register, authorities used intelligence gathered from his Facebook page to identify his location and successfully make the arrest.

 The Associated Press’s Richard Lardner followed up with a story about the way MySpace and Facebook are both being used as investigative goldmines. See his story Break the law and your new ‘friend’ may be the FBI.

Twitter Hacker in France

“Hacker Croll” an unemployed 25-year-old hacker who lived with his parents had his moment of fame after breaking into the Twitter accounts of President Obama and Britney Spears. The AP story says he was arrested by French police, who have released him to reappear on June 24th for his trial. The hacker calls himself “more of a pirate than a hacker”, and has explained his method to the police. French prosecutor, Jean-Yves Coquillat, says the young man was acting on a bet, and that he is “the sort who likes to claim responsibility for what he’s done.” According to an AFP Story TechCrunch had received more than 300 documents belonging to Twitter employees that were provided by Hacker Croll. Twitter has acknowledged that they seem legitimate.

Jon and Kate Plus Eight … plus fake codecs

One our researchers was reading the comments about Dancing With The Stars, and Kate Gosselin’s performance (He’s a huge fan … don’t ask), when he noticed a link to a URL shortening service. Given that it was advertising a video of Kate Gosselin topless, he astutely realised that was a bit suspicious, and checked it out inside a nice, safe virtual pc. Indeed, the shortening service immediately transferred to a website showing a picture of Kate at the beach…

Note the dialog that says “ActiveX Object Error”, and “Click OK to download”. If you’re a poker player, this is what’s known as a “tell”. And if you are not a poker player, this is your sign that you should run for the hills, or in computer terms, start Task Manager and kill the browser.

If you _ever_ have to download a codec or anything to watch a video …. DON”T!

If, however, you are determined to walk a little on the wild side, and try to view Ms Gosselin, you are confronted with a File Download diloag, and when you run that, you see this screen …

Wait … an anti virus? I thought I was getting a movie viewer!?

Of course, your machine is now officially nailed, and no longer belongs to you. It belongs to the folks who wrote the rogue anti virus, and these things are really painful to remove.

The upside for Kate is that she is now being used as a Lure by the Fake Codec-ers, which makes her officially a celebrity.

None-the-less, Dancing With The Stars will no doubt continue, and it’s now Jon and Kate Plus Eight Plus Fake Codecs… oh, minus Jon. 🙂

Back to Basics with Fake AV

We’ve been seeing Fake AV programs getting more convincing for a while now. Some of the tricks employed by the guys behind these rogue programs include Windows-7-style fake scanners, in-browser “scanners”, and program features that ape other aspects of the operating system.

Yesterday, though, we came across a misleading application called AntiVirusDemoFraud that is—how to say?—possibly a little less sophisticated than some in terms of user interface design.

Obvious in the screenshots are the familiar misleading application hallmarks, such as fake detection names, dire warnings as to what the “threats” are capable of, and buttons to pay to register the program and remove the threats. Notable are the errors in spelling and grammar, the “dotted tri” IP address, and the frankly amateurish interface. Don’t give up your day jobs folks.

Facebook AV

Does a Facebook-specific antivirus application sound like a good idea? Maybe not. One of our analysts saw this particular application claiming to be an antivirus wreak havoc on his Friends list. Of course, there is no such thing.

Once installed on one Friend’s account, this application tags 20 Friend into a picture such as the one below:

If a Friend looking through the photos then clicks on the app’s (apparently randomly generated) link, they’ll see this:

If you have a lot of friends, you might end up with a series of albums like this:

You can find more information about this, including instructions on how to remove the tags on the photos, at FacebookInsider.

Examples include Antivirus in Focebook and F’acebook antivirus.

Notice the misspelling of Facebook in both names. Facebook is already in the process removing and preventing such rogue apps.