Security News

Live Security Platinum FakeAV infections on the rise (June 20, 2012)

By

Dell SonicWALL Threats Research team observed a rise in FakeAV variant titled “Live Security Platinum”. It was seen spreading in the wild through compromised webpages. As seen in the past, this FakeAV variant uses various scare tactics to convince the user to buy a license in order to disinfect their system. In addition to the usual scare tactics, it was also found redirecting webpages in Internet Explorer to a fake alert page.

On vitising the compromised page, a drive by infection is triggered without the users knowledge. The injected script on the compromised webpage is heavily obfuscated and leads to the download and execution of the FakeAV variant:

screenshot

The FakeAV when executed performs the following activities:

  • It creates the following files:
    • %appdata%529C50D8002841870004330E2830AC72529C50D8002841870004330E2830AC72.exe (Copy of itself) [Detected as GAV: LiveSecurityPlatinum (Trojan)]
    • %appdata%529C50D8002841870004330E2830AC72529C50D8002841870004330E2830AC72 (Data file)]
    • %UserProfile%DesktopLive Security Platinum.lnk
    • %ProgramFiles%Live Security PlatinumLive Security Platinum.lnk

  • It creates the following registry keys:
    • HKEY_USERSSoftwareMicrosoftWindowsCurrentVersionRunOnce:529C50D8002841870004330E2830AC72:”%appdata%529C50D8002841870004330E2830AC72529C50D8002841870004330E2830AC72.exe”
    • SoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapDomains:{removed IP Address}

  • It steals user cookies

  • It connects to remote servers to report infection and for contacting fake payment gateways:

    screenshot

  • Some of the alerts generated are shown below:

    screenshot

    screenshot

    screenshot

  • It hooks GetUrlCacheHeaderData in Wininet.dll to redirect users to a fake alert page in Internet Explorer :

    screenshot

  • It repeatedly prompts the user to buy the product:

    screenshot

    screenshot

  • If the user decides to activate the software, it open a fake payment page asking for credit card details and personal information:

    screenshot

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: LiveSecurityPlatinum (Trojan)
  • GAV: LiveSecurityPlatinum_2 (Trojan)
  • GAV: LiveSecurityPlatinum_3 (Trojan)
  • GAV: LiveSecurityPlatinum_4 (Trojan)
  • GAV: LiveSecurityPlatinum_5 (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
Recommended Cyber Security Stories
Microsoft Security Bulletin Coverage (December 8, 2015)
Opera Browser File URI Buffer Overflow (Nov 20, 2008)
Sonicwall RTDMI engine discovers malicious MS Office file containing Java RAT in the wild
Blackwood APT Group Has a New DLL Loader
JAVA Spring Framework Spring4Shell RCE Vulnerability
This LuckyCat wont bring you any luck (September 14, 2012)
ZBot IRS spam targeting Tax period (Mar 26, 2010)
FREAK: Attacking Export RSA Keys (March 4, 2015)