Archive for the ‘rogue’ Category

FTC to refund rogue security software victims

December 14th, 2011 No comments

The United States Federal Trade Commission announced that it will begin issuing refunds to 300,000 consumers that were victims of several rogue security software scams such as “Winfixer“, “Drive Cleaner” and “XP Antivirus“. The following is a list of Microsoft antimalware product detection names that are linked to the Winfixer family:


Rogue authors commonly brand their programs to appear as legitimate security scanners. The following is a list of some names that are associated with the above mentioned rogue security software detections:

Antivirus 2008
Antivirus XP 2008
AV XP 2005
Data Doctor
Driveproteccion (sic)
Power Antivirus 2008
Power Antivirus 2009
SpyKiller Pro
Spyware Sweeper
VirusRemover 2008
WinSpyware Protect
XP AntiSpyware 2009
XP AntiVirus

The following text is from the FTC announcement (

Approximately 320,000 checks will be mailed by the FTC’s settlement administrator, Epiq Systems. Consumers who believe they are entitled to a refund or have questions may call the settlement administrator toll free at 1-877-853-3541 or visit for more information.


Categories: AntivirusXP, FTC, rogue, Winfixer Tags:

There’s more than one way to skin an orange…

October 21st, 2011 No comments

​When it comes to attacking a system, and compromising its data and/or resources, there are several different methods that an attacker can choose. One of the more effective ways to make a successful compromise is to take advantage of perceived vulnerabilities in the targeted system. A vulnerability refers to a characteristic of a system that renders it susceptible to some form of attack. Kind of like a weakness, but a weakness that does not necessarily indicate a problem with the system’s design.

Vulnerabilities may be present in any component of the targeted system. You can have vulnerabilities in the hardware that supports the system, or vulnerabilities in the software that runs on the system, but you can also have vulnerabilities that occur as people use the system, or in the people themselves.  People, both literally and figuratively, can be soft targets and attackers often try to compromise systems by attempting to exploit how people behave.

This type of attack is known as social engineering. Essentially, in social engineering, attackers attempt to exploit vulnerabilities in human behavior in order to make the victim being targeted act in a manner of the attacker’s choosing, even though that is unlikely to be in the victim’s best interest. So rather than exploiting vulnerabilities in hardware or software, social engineering attempts to exploit vulnerabilities in the ‘wetware’ (i.e. the people).

Examples of social engineering techniques used by malware for distribution or other purposes can range from the simple yet effective ("Install this codec in order to watch this amusing video"), to the elaborate and complex (most Rogue security software), to the targeted (by taking advantage of existing trust relationships using specially compromised accounts or services).

So, you can upgrade your hardware and update your software (and we absolutely recommend that you do), but how do you upgrade/update people to make them less vulnerable to attack? It’s a classic question in computer security but there are measures you can take that will make the people in your organization less likely to be compromised in this manner.

The latest issue of the Microsoft Security Intelligence Report (SIRv11) contains detailed advice for IT professionals and organizations on how to limit exposure to social engineering attacks. The section Advice to IT Professionals on Social Engineering‘ (p42) provides a number of tangible steps that can be taken to protect an organization from this most nefarious of attacks.

Highly recommended reading for any organizations that contain people…

Heather Goudey
MMPC Melbourne

MSRT August ’11: FakeSysdef

August 10th, 2011 No comments

This month’s Malicious Software Removal Tool (MSRT) includes Win32/FakeSysdef – one of the most prevalent trojans affecting our support groups over the past few months. We’ve discussed this threat in previous blogs (1, 2), and turn to this excerpt from our encyclopedia for some more detail:

Win32/FakeSysdef is a family of programs that claim to scan for hardware defects related to system memory, hard drives and over-all system performance. They scan the system, show fake hardware problems, and offer a solution to defrag hard drives and optimize system performance. They then inform the user that they need to pay money to download a ‘fix’ module, register the software and repair these non-existent hardware problems.”

The first variant we saw in the wild called itself “System Defragmenter” hence the name, FakeSysdef (SHA1: C5130D12851D03ED42A7CC25BE5629E0A43E90A2).

With a trained eye, we found some tell-tale signs that the authors behind Win32/FakeCog are related to those behind Win32/FakeSysdef. It also seems coincidental that FakeSysdef’s first release was a month after the inclusion of Win32/FakeCog to MSRT last September. Since that time, FakeCog detections have decreased while FakeSysdef detections have become more prevalent.

How do I get infected?
Creators of trojan and rogue security software are notorious for using exploit kits and “search result poisoning”, or Black SEO, to launch installers of their malware. For example, malware creators could use an image search poisoning scheme to deliver poisoned search results to users that search for a photo of a popular or public person. When opening a (malicious) returned search results page, the user could become infected by way of a drive-by download that executes a Win32/FakeSysdef installer. FakeSysdef may also be downloaded by other malware, including Win32/Chepvil.

Win32/FakeSysdef drops a copy of itself and/or another component (DLL or EXE) to the “%APPDATA%” folder using random filenames, for instance:

  • c:\Documents and Settings\All Users\Application Data\<RANDOM>.exe
  • c:\Documents and Settings\<UserName>\Local Settings\Application Data\<RANDOM>.exe

Note: These folders are commonly hidden, so you might need to check these links for Windows Vista and Windows 7 to enable the viewing of hidden files and folders to see the dropped files.

Here is an example of the dropped files (the main executable and a configuration data file):

Figure 2 - FakeSysdef dropped files
Figure 1 – Dropped files

A shortcut link is created in the desktop folder and sometimes in the Program menu, hoping that the user will run it eventually. Others may just create a plain autorun registry entry to run the trojan every time Windows starts.

To be more appealing, recent FakeSysdef variants are smart enough to detect the operating system when constructing the brand names they use. An example of this strain is the “Windows 7 Recovery”distribution that checks the Windows version with common APIs such as GetVersionExW() and GetNativeSystemInfo(). Other variants with similar behavior are: “Windows 7 Restore” and “Windows 7 Repair”.

Figure 3 - View of API call by FakeSysdef
Figure 2 – View of API call by FakeSysdef

Win32/FakeSysdef typical behavior, once active, is to display fake error messages such as those seen in Figure 3, that scare the user into believing that their computer needs repair. But before they can clean up their computer, they need to buy or register the software. Needless to say, this is the old-and-dirty trick from rogues and some trojans to scam money from infected users – to scare you into buying their fake software. If the user ignores the malware (eg. clicking ‘Cancel’), it reboots the machine repeatedly until they activate the fake fix. Downloading and installing the fake fix module will not clean up the computer and it doubles the risk by downloading an additional component or different new malware.

Figure 4 - Examples of fake error messages from FakeSysdef
Figure 3 – Examples of fake error messages from FakeSysdef

Figure 5 - FakeSysdef fake request to "Fix problem"
Figure 4 – FakeSysdef fake request to “Fix problem”

After installation, it connects to a remote website to report infection information. The remote website’s URI formats are all the same or similar and hard-coded in the binary with simple encryption. The %s format in the decrypted string (Figure 5) is replaced later in the code by the actual hardcoded domain name. This means that the binary is being auto-generated with some kind of server-side polymorphic engine, embedding the URI of the C&C domain on every binary compiled. The domains used also look pre-generated, being registered when the binary is released.

Figure 6 - Analysis of FakeSysdef illustrates call to decrypt URI string

Figure 5 – Analysis of FakeSysdef illustrates call to decrypt URI string

Blocking programs
Perhaps, it’s worth noting as well that a small fraction of FakeSysdef variants were found to be blocking launched programs once active. It accomplishes this by using a DLL component injected to some pre-determined processes like EXPLORER.EXE, WINLOGON.EXE and WININET.EXE with the following registry entry:

In subkey: HKLM\System\CurrentControlSet\Control\Session Manager\AppCertDlls
Sets value: “AppSecDll”
With Data: “c:\documents and settings\all users\application data\<RANDOM>.dll

The DLL exports the CreateProcessNotify() function to check if the trojan is installed by querying some registry entries related to itself and denying programs that are executed by the user. This aggravates its effect especially for cleanup, as you cannot run programs to remove the trojan. Users might need to boot from Safe Mode to clean this strain.

Ties with other malware
The underground business of malware has a complex structure and different malware families are often inter-related. For example, we have observed Win32/Hiloti installing Win32/FakeSysdef in the past. FakeSysdef in return, was also found to download and install Win32/Alureon.

With the inclusion of FakeSysdef in this month’s MSRT, we hope that its extinction is imminent!

— Rex, MMPC

Categories: MSRT, rogue Tags:

Slick links linked to slinky Winwebsec

May 3rd, 2011 No comments

I received a spam email from a friend lately after which I immediately notified him of a potential malware infection.  He insisted his technician had taken care of the infection once and for all.  After I returned from my vacation I received another three spam mails from him.  This time I decided to look further.

Message 1, about two weeks old, contained a simple URL shown as ‘’.  The hyperlink actually is for a different site, “”, a site that has been taken down when I tested in our lab.

Message 2 contained another URL, also displayed as ‘’ and the hyperlink this time was for another site, “”.   As of April 27, the site was still alive, and appears to be a fake site for the purchase of drugs online:

Image 1 – fake pharma site


Message 3 arrived only a few days ago, and it too used the ‘’ ruse. The message contained a single line of content, with a displayed link of ‘’ and an actual hyperlink of “”. I turned to a fellow researcher Tim to investigate. Below is a short summary of what he discovered.

When visiting the URL, it installs a program with a file name of “pack.exe” (ShA1: 6286972A5DA540E058DD2AEDFC38B6061FF67F14). A quick search at VirusTotal – an online service that scans submitted malware samples using multiple security scanners – indicated no current detection by security vendors.

When I ran the program, a familiar interface popped up – it was the rogue Win32/Winwebsec:

Image 2 – Win32/WinWebsec rogue


And now, they want $99.95 for it:

Image 3 – purchase lure


After having a peek at the HTML code of the malicious website, we found there was actually an exploit kit being implemented to install rogues, using a “drive-by-install” method. The exploit is similar to the known “Zombie Infection Kit” and also the “Siberia exploit kit”, and it includes the following exploitation methods:


Image 4 – CVE-2006-003 – Microsoft Data Access Components (MDAC) Vulnerability


Image 5 – CVE-2010-0886 – Java Deployment Toolkit Vulnerability


Image 6 – CVE-2010-1885 – Microsoft Windows Help and Support Center Vulnerability

If these exploit methods look familiar, that’s because they are the exact exploit toolkits heavily used to distribute Zbot (aka Zeus). The rogue installed by the web page mentioned above is detected as Rogue:Win32/Winwebsec.

If you only draw one conclusion from our research, let it be “don’t click on suspicious links”.


–Tim Liu & Scott Wu, MMPC

Doctor Who calling–on Skype, with malware

April 15th, 2011 Comments off

Earlier this week, I received a phone call via Skype on my laptop, the caller’s ID was “dralerthelpzc8” as in Dr Alert Help ZC8. The voice on the other end was automated, computerized and otherwise non-human, and alerted me that I had a virus that affects Windows Vista, Windows XP and Windows 7 and that I needed to visit a website to download an update. (This is somewhat similar to the situation where a live person calls and purports to being a Microsoft employee and wants to help you clean your computer. We want to point out that no Microsoft employee would ever call you in an unsolicited manner.)

I found the mystery Skype call odd on two accounts – one, I work for a security company that develops antimalware security software, and two, my Skype settings were initially set to not display if I’m online. Apparently my privacy settings had no effect on if I received a random call. More on that later.

After some checking around various forums about this ‘helpful’ (not!) voice message alert, I discovered that many people in the Skype community have also received similar phone calls. There were a lot of references to “scam” and “rogue AV scanners” so my gut feeling was not too far off at all. I did find some other forums that included screen shots that indicated a tell-tale sign that indeed, the referenced site distributed rogue software.

According to IP records, the site mentioned in the automated call (sos**.com, obfuscated intentionally) is listed as belonging to ASN 4134, aka CHINANET-BACKBONE, which has a long list of IP addresses known to distribute malicious code. I attempted to visit the site; however, it was already offline, returning an HTTP 404. There was a cached view available and it resembled a version of a fake scanner web page:


cached page sos**.com
Image 1 – cached page sos**.com


One forum displayed a screen shot, captured in March, that listed a system tray dialog that looked vaguely familiar. Below is a copy of the message text:


Warning errors detected

Click here to view errors list.
Remove this errors as soon as possible to prevent
data lost and privacy information exposure


This error message was also used by Trojan:Win32/FakeSpyguard in 2008. The forum mentioned that clicking on the system tray message redirects the web browser to an online purchasing site (also offline) where you can enter a CC number to purchase the (presumed to be) rogue malware.

Reviewing the sequence of events, I decided I would make changes to my Skype account to prevent future spam phone calls of this nature, for instance:

  • select ‘Allow calls from people in my Contact list only’
  • select ‘Show that I have video to people in my Contact list only’
  • select ‘Automatically receive video and screen sharing from people in my Contact list only’
  • select ‘Allow IMs from people in my Contact list only’
  • unselect ‘Allow my online status to be shown on the web’

Skype privacy settings
Image 2 – Skype privacy settings

For more articles on Skype security, visit this link on the Skype product site:

– Dan Nicolescu & Patrick Nolan, MMPC

Categories: guidance, rogue, scam, Skype, spam Tags:

How to defang the Fake Defragmenter

March 19th, 2011 Comments off

We are tracking the trails of this fake "System Defragmenter" software since its first appearance last October 2010, and have warned our customers in our earlier post about this trojan software. In this follow-up post, we give an update including a new variant worth noting for our customers.

The fake system defragmenter family (FakeSysdef) is similar to rogue software in many ways, such as presenting forced installations, a polished user interface, false and annoying errors and a request (requirement) that users buy a license. This ultimately is the goal of the scammers – to extract money.

“Brands” or aliases
Common strategies of fake software include branding or use of different names and aliases, and this family is no different, releasing 2 or 3 rebranded variations every week. Many of them are listed in the table below, including the recent “WinScan” that we dissect in this post later on.

System Defragmenter Smart HDD Scanner
Check Disk Win Defragmenter Full Scan
Win HDD Win Defrag HDD Scan
HDD Plus Win Defragmenter HDD Diagnostics
HDD Low Quick Defragmenter HDD Repair
HDD Tools Smart Defragmenter Win Scanner
HDD Doctor HDD Defragmenter Quick Defrag
HDD Rescue Scan Disk HDD Fix
Disk Doctor HDD Control Memory Fixer
Disk Repair Hard Drive Diagnostic My Disk
Easy Scan Disk Ok Fast Disk
HDD Ok Disk Optimizer Memory Optimizer
Good Memory Memory Scan Windows Scan
Disk Recovery Win Disk WinScan


The Packers
FakeSysdef uses a few different packers. Figure 1 shows the custom-packer used by this rogue. FakeSysdef uses a relatively simple custom packer that in turn, uses an anti-emulation trick in its bid to thwart emulators.

Illustration of packing layer and obfuscation by FakeSysdef

Figure 1 – Illustration of packing layer and obfuscation by FakeSysdef

Perhaps, what is important to note about this packer is that it’s being used by other malware such as Rogue:Win32/Sirefef, Rogue:Win32/FakeRean, some variants of TrojanDownloader:Win32/Harnig and Rogue:Win32/Winwebsec and, recently, Rogue:Win32/FakeSpypro as well.  It is not uncommon for malware to share packers; identifying the packer can be sufficient to classify the packed file as malicious. (See “Standards and Policies on Packer Use”, our blog post about the use of “taggants” to identify a packer family).

The packer layer decrypts the code and copies the decrypted code to the newly allocated memory before jumping to the second layer, or the injector stub. The injector stub can be easily recognized by the starting code similar to that shown below:

The first two calls just get the base addresses of KERNEL32.DLL and NTDLL.DLL. With the base addresses in hand, the injector can now easily retrieve other needed APIs by parsing the DLL’s Export Address Table, including the RtlDecompress() API, to uncompress the embedded executable using COMPRESSION_FORMAT_LZNT1:

00A41D21                 push    edx             ; RtlDecompressBuffer
00A41D22                 mov     eax, [ebp+_NTDLL_]
00A41D28                 push    eax
00A41D29                 call    _getprocaddress
00A41D2E                 mov     [ebp+var_204], eax
00A41D34                 lea     ecx, [ebp+var_90]
00A41D3A                 push    ecx
00A41D3B                 mov     edx, [ebp+arg_0]
00A41D3E                 mov     eax, [edx]
00A41D40                 push    eax             ; CompressBufferSize
00A41D41                 mov     ecx, [ebp+arg_0]
00A41D44                 add     ecx, 4
00A41D47                 push    ecx             ; CompressedBuffer
00A41D48                 mov     edx, [ebp+arg_4]
00A41D4B                 push    edx             ; UncompressedBufferSize
00A41D4C                 mov     eax, [ebp+var_19C]
00A41D52                 push    eax             ; UncompressedBuffer
00A41D53                 push    COMPRESSION_FORMAT_LZNT1 ; Format
00A41D55                 call    [ebp+var_204]   ; RtlDecompressBuffer

The injector then fixes the PE image in memory after stuffing the now-decompressed code into the host’s own address space. Finally, it jumps to the final entry point of the malicious program, and begins the installation:

00A42957                 mov     [ebp+var_1C], ‘A’
00A4295B                 mov     [ebp+var_1B], ‘l’
00A4295F                 mov     [ebp+var_1A], ‘l’
00A42963                 mov     [ebp+var_19], ‘ ‘
00A42967                 mov     [ebp+var_18], ‘d’
00A4296B                 mov     [ebp+var_17], ‘o’
00A4296F                 mov     [ebp+var_16], ‘n’
00A42973                 mov     [ebp+var_15], ‘e’
00A42977                 mov     [ebp+var_14], ‘.’
00A4297B                 mov     [ebp+var_13], ‘C’
00A4297F                 mov     [ebp+var_12], ‘a’
00A42983                 mov     [ebp+var_11], ‘l’
00A42987                 mov     [ebp+var_10], ‘l’
00A4298B                 mov     [ebp+var_F], ‘i’
00A4298F                 mov     [ebp+var_E], ‘n’
00A42993                 mov     [ebp+var_D], ‘g’
00A42997                 mov     [ebp+var_C], ‘ ‘
00A4299B                 mov     [ebp+var_B], ‘O’
00A4299F                 mov     [ebp+var_A], ‘E’
00A429A3                 mov     [ebp+var_9], ‘P’
00A429A7                 mov     [ebp+var_8], 0
00A429BD                 mov     edx, [ebp+arg_0]
00A429C0                 add     edx, [ecx+10h]
00A429C3                 mov     [ebp+_final_entry_point], edx
00A429C6                 mov     esp, [ebp+arg_8]
00A429C9                 xor     eax, eax
00A429CB                 mov     edi, [ebp+arg_14]
00A429CE                 mov     esi, [ebp+arg_10]
00A429D1                 mov     ebx, [ebp+arg_C]s
00A429D4                 jmp     [ebp+_final_entry_point]

New variant?
Earlier in February, we received an attention-getting new sample of FakeSysdef from a customer. At first we thought it was different malware, but looking closely and analyzing the sample, it was indeed a major modification to the FakeSysdef family.

For comparison, previous variants use the same interface and logo with an icon similar to a trojan horse:

Figure 2 – Various branding for FakeSysdef

Figure 2 – Various branding for FakeSysdef

This most recent FakeSysdef sample is using a new interface, though you can tell that it’s part of this family because the menu, texts and (fake) errors messages are still the same (see Figure 3):


Figure 3 – New FakeSysdef GUI

Figure 3 – New FakeSysdef GUI

The new variant is armored with a new shiny GUI and its scareware tactics are rather alarming and more aggressive, leaving the computer virtually useless until the user pays for the license to fix the bogus errors.

It is packed with UPX, a packer that is plain and simple without complex obfuscation that would make analysis more difficult. This is an indication that it’s in the early stages of development and still lacks emphasis on malware “hardening” intended to hide the malware from scanners and malware researchers alike.

The Loader
The main executable component arrives as an EXE file and acts as a loader. It first terminates the Internet Explorer process if found running. On computers running Windows Vista and later, it makes sure that it runs as an elevated privilege process. Then it drops a DLL file such as the following:

"C:\Documents and Settings\All Users\Application Data\aJnsgXnTGrqWD.DLL”

It injects the DLL to the specific process name EXPLORER.EXE. After a while, it starts to display a fake error message:

Figure 4 – Fake error message

Figure 4 – Fake error message


FakeSysdef injects the DLL file into processes (upon reboot) with the following registry change:

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls, “AppSecDll” = "<DLL_PATH>"

The DLL code is kind of selective by only allowing itself to run under specific target processes, so it effectively injects itself only to Explorer.exe, Winlogon.exe and userinit.exe processes.  After injection, it tries to connect to a hardcoded URL, perhaps to phone home its affiliate ID for a pay-per-install scheme:


As of this writing, the associated site “” and URL requested is no longer available.

Scaring the user
The DLL component creates a black BMP file on the fly based on the operating system (Productname) and service pack number queried from registry data, and sets the created BMP as the desktop background (see Figure 5). This BMP file is dropped in the Temporary files folder and will appear to be an authentic “Safe Mode” boot background which will be used later on after a forced reboot by the trojan.

FakeSysdef also disables the background tab options of the Windows desktop configuration to make sure that the new desktop background will not be altered, with the following registry modification:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop, “NoChangingWallPaper”=”1

It may terminate more active processes and will, finally, force the machine to reboot. Once rebooted, the malware begins its assault by showing a fake Windows boot failure error dialog box at the background, with the BMP created earlier on top of it, simulating Safe Mode:

Figure 5 – Fake Safe Mode and Windows Boot Failure dialog after reboot

Figure 5 – Fake Safe Mode and “Windows Boot Failure” dialog after reboot

This is followed by a disk diagnostics dialog that will request permission to diagnose the “disk problems”. Annoying disks and memory errors will pop-up to assert its presence and create more panic for the user. Eventually, the malware will offer a module to download and “fix” those errors. If the user doesn’t accept the fix, the malware will again reboot the computer and the process repeats itself again and again, until the user might just give up and allow the “fix” module to run.

The machine appears useless now and will not allow any application or program to be executed, leaving the hapless user seemingly no choice but to accept the fix and repair offered from the rogue authors (see Remediation at the end of this blog). Yes, that’s the scareware tactics.

The remainder of symptoms by this trojan variant are already similar to previous variants – before it fixes the errors, you need to activate the module by purchasing a software license from these malware makers. It opens a simple, custom browser showing a very legit-looking “secure and verified” webpage.

Rogue Call-back and Affiliate Sign In
This trojan family phones home to a remote website to record its installation stats such as how some other malware is installed and the affiliated ID, presumably for pay per install business transactions. This network communication and behavior makes it possible to write IDS/IPS signatures to detect and block its network activity. Our data shows that FakeSysdef has the following outbound connection string formats:


Example URLs:


Some of the sites contacted by this family include (edited):


At least one of the sites involved allows the malware affiliate to log on as displayed below:

Figure 6 – Example of the affiliate logon portal

Figure 6 – Example of the affiliate logon portal


There is a somewhat painless method to remove this trojan without giving in and paying the trojan. The basic steps are to start the computer in safe mode, delete the trojan DLL responsible as well as the scary bitmap wallpaper, then reboot and scan.

The DLL is identified by reviewing the registry data “<DLL_PATH>”:

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls
“AppSecDll” = "<DLL_PATH>"

The bitmap is stored as either “wall.BMP” or “<random>.BMP“ in the Temporary files folder. The trojan also sets a policy to prevent the user from modifying the desktop wallpaper via a registry setting named “NoChangingWallPaper”. Windows customers requiring additional help can get assistance from our online support site or via phone by calling 1-800-PC-SAFETY (1-800-727-2338).

Despite its simplistic approach, and with its recent code modifications, FakeSysdef tells us two things: (1) the malware authors are getting a reasonable amount of money from their operation, and (2) it seems we will be seeing more of this trojan in the coming months.  The hardcoded strings – Uniform Resource Identifier (URI), filenames, etc. — suggest that the scammers are using a toolkit or builder to compile new releases.

Hopefully, you found this post helpful. MMPC will continue to track and haunt them until the game is over.

— Rex Plantado, MMPC