Fake Desktop Utilities on the rise (June 8, 2011)

SonicWALL UTM Research team has observed a rise in fake desktop utility malware in the wild. A new fake windows recovery malware is making the rounds through drive-by downloads. We have observed other variants before but this variant employs some new tactics such as disabling the task manager, hiding user programs and files by modifying file attributes, hiding start menu items and disabling multiple operating system features.

As seen in the past with other fake utilities, it attempts to scare the user with fake errors and tries to convince the user to buy the product in order to fix those errors. It uses a fake icon and file name to masquerade as a legitimate file as seen below:

It performs the following activities:

• It creates a copy of itself in the following location
  • AppData%uaaiHfWFhq.exe
• It reports new infection to a remote server
  • GET /404.php?type=stats&affid=508&subid=new02&awok HTTP/1.1
• It creates the following registry entry to ensure infection on reboot
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunuaaiHfWFhq:”%AppData%uaaiHfWFhq.exe”
• It executes the following commands in the background to modify the file attributes to be hidden
  • attrib +h “C:DocumentsandSettingsAllUsersStartMenu*.*”
  • attrib +h “C:DocumentsandSettingsAdministrator*.*”
  • attrib +h “C:*.*”
• It moves contents of start menu from “All UsersStart MenuPrograms” to “%Temp%smtmp1”
• It modifies the following registry values to disable various features
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableTaskMgr
    – Disables the task manager
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvancedHidden
    – Disables viewing of protected operating system files
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvancedShowSuperHidden
    – Disables viewing of hidden files
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoDesktop
    – Hides desktop icons
  • HKEY_CURRENT_USERSoftwareMicrosoftInternetExplorerDownloadCheckExeSignatures
    – Disables warning for downloaded software from untrusted publishers
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesAttachmentsSaveZoneInformation
    – Disables preservation of zone information in downloaded and attached files

Here are some screenshots of the fake utility in action:

It generates fake warnings:

It simulates a scan and displays fake error messages:

If the user proceeds to buy the advanced module it displays the following screen asking for credit card and personal information:

SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

• GAV: FakeSysdef (Trojan)
• GAV: FakeSysdef.A (Trojan)
• GAV: Fakesysdef.BDA (Trojan)
• GAV: Fakesysdef.BDB (Trojan)
• GAV: Fakesysdef.BDC (Trojan)
• GAV: Fakesysdef.BDD_2 (Trojan)
• GAV: Fakesysdef.BDE (Trojan)
• GAV: Dapato.AR (Trojan)
• GAV: Dapato.D (Trojan)

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.