A New Spin On Rogue Antivirus

[Reefa]

Rogue antivirus was once the scourge of the Internet, and while this sort of malware is not entirely extinct, it’s fallen out of favor among criminals as users have become more aware and security products have gotten better at blocking the threat.

Image via TechNet

However, Daniel Chipiristeanu, an antivirus researcher at the Microsoft Malware Protection Center (MMPC), claims that a simpler, and primarily browser-based, version of the fake antivirus scheme has proven more effective in recent months.

The MMPC says that once a user machine is compromised by once such piece of malware, Rogue:Win32/Defru, it blocks users from browsing to a long list of popular websites on the Internet and instead presents an image familiar to anyone who’s dealt with rogue antivirus in the past.

“When the user is browsing the Internet, the rogue will use the hosts file to redirect links to a rather infamous specific fake website (pcdefender.<removed> IP 82.146.<removed>.21) that is often used in social engineering by fake antivirus malware,” Chipiristeanu explained on Microsoft’s TechNet blog.

Image via TechNet

While the user will see the above image in their browser window, the URL in the address bar will be that of the website the user intended to visit in the first place. In other words, the malware quietly redirects the user to a new website, but the address bar does not reflect that movement. If the user tries to access another website, the threat follows. The message reads:

“Detected on your computer malicious software that blocks access to certain Internet resources, in order to protect your authentication data from intruders the defender system Windows Security was forced to intervene.”

The fake scanner shows users a long list of non-existent malware it claims to have found on the computer in question. Then it offers to clean the system for a fee. If the user clicks the “Pay Now” button, he will be redirected to a payment portal called “payeer.”

Image via TechNet

Chipiristeanu claims that paying the fee will not fix the problem.

At the moment, most of Defru’s victim-machines – as is indicated by language – appear to be located in Russia. The United States is a distant second to Russia with Kazakhstan following closely behind in third. The remaining infections are mostly in eastern European and Middle Eastern states with some infections in western Europe as well.

You can find the list of redirected sites with the detailed Defru malware information.

“The rogue is written in PHP, uses a PHP EXE compiler (Bambalam) and will copy itself to %appdata%\w1ndows_<4chars>.exe (e.g. ‘w1ndows_33a0.exe’),” Chipiristeanu explains. “It persists at system reboot by adding itself to the registry key HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run with the value ‘w1ndows_<4chars>’.”

“The user can clean their system by removing the entry value from the “run” registry key, delete the file from disk and delete the added entries from the hosts file.”

Source

[knowledge-Spammer]

lol people nowdays

[jackieo]

Those fuckers who put that shit on the net should be beaten within inches of their lives, allowed to heal, then beaten again.

there is no purpose for this shit.

[CODYQX4]

Those fuckers who put that shit on the net should be beaten within inches of their lives, allowed to heal, then beaten again.

there is no purpose for this shit.

That would be too easy.

They should be chained to the back of a Truck and dragged for miles through glass.

Damn that scamware crap, I hate having to remove that crap and find out it neutered the registry.

Too bad with Windows. I'd argue Windows has more security baked in than OS X (but there are some really hardcore Linux distros out there), but has more bugs and more people targeting it. Still though it is too easy for people to get owned on Windows.

OS X has some thing I hate where it verifies signatures/code signing, called Gatekeeper (it is trivially bypassed from what I heard, but the concept out of the box would help this, because the user has to go into settings and disable in instead of hammer yes mindlessly not knowing what it is). I don't like the control feature, but making it harder to run just any run of the mill EXE than just hammering yes would help.

Many non-power users people these days are just sticking to their browser of choice. If all they know is Facebook they shouldn't ever need to run unsigned programs.

I'd like to see Windows (and hell, any OS), build in Sandbox features ala Sandboxie. Keep that crap from polluting the registry at least, just turn it all off with the flick of a switch.

[oliverjia]

Windows 8.1 is pretty secure thesedays if ppl keep it updated, especially the x64 Enterprise version.

I think ppl should set up at least a standard user account without admin priviledge, and use that standard account for everyday computing. On top of that, proper Applocker rules can be setup to prevent from any executable (exe, com, script, msi, etc) from running from any directory other than C:\Windows and C:\Program Files (x86), or C:\Program Files. Registry editors and CMD command should also be disabled. Any drive-by downloads, auto-installation, registry hacks will be prevented, and you only allow to run the programs you are sure is safe.

This way you get a hardended OS that is more secure than OS X and not less secure than Linux. Of course, the weakest link is always social engineering, which the users can be tricked into running some rogue programs. However in my setup above, without admin password, any rougue programs will have no chance to be installed because of the lower user privilege and Applocker restriction.

The biggest problem now for Windows, is the lack of a standard user account. ppl almost always use admin account, even on Windows 8.1, which is dangerous, because as mentioned, a mindlessly "yes" click upon an UAC prompt can be catastrophic. So I think first of all, everyone needs a standard user account as their main account on their computer.

Those fuckers who put that shit on the net should be beaten within inches of their lives, allowed to heal, then beaten again.

there is no purpose for this shit.

That would be too easy.

They should be chained to the back of a Truck and dragged for miles through glass.

Damn that scamware crap, I hate having to remove that crap and find out it neutered the registry.

Too bad with Windows. I'd argue Windows has more security baked in than OS X (but there are some really hardcore Linux distros out there), but has more bugs and more people targeting it. Still though it is too easy for people to get owned on Windows.

OS X has some thing I hate where it verifies signatures/code signing, called Gatekeeper (it is trivially bypassed from what I heard, but the concept out of the box would help this, because the user has to go into settings and disable in instead of hammer yes mindlessly not knowing what it is). I don't like the control feature, but making it harder to run just any run of the mill EXE than just hammering yes would help.

Many non-power users people these days are just sticking to their browser of choice. If all they know is Facebook they shouldn't ever need to run unsigned programs.

I'd like to see Windows (and hell, any OS), build in Sandbox features ala Sandboxie. Keep that crap from polluting the registry at least, just turn it all off with the flick of a switch.