Security News

Live Security Platinum FakeAV infections on the rise (June 20, 2012)

By

Dell SonicWALL Threats Research team observed a rise in FakeAV variant titled “Live Security Platinum”. It was seen spreading in the wild through compromised webpages. As seen in the past, this FakeAV variant uses various scare tactics to convince the user to buy a license in order to disinfect their system. In addition to the usual scare tactics, it was also found redirecting webpages in Internet Explorer to a fake alert page.

On vitising the compromised page, a drive by infection is triggered without the users knowledge. The injected script on the compromised webpage is heavily obfuscated and leads to the download and execution of the FakeAV variant:

screenshot

The FakeAV when executed performs the following activities:

  • It creates the following files:
    • %appdata%529C50D8002841870004330E2830AC72529C50D8002841870004330E2830AC72.exe (Copy of itself) [Detected as GAV: LiveSecurityPlatinum (Trojan)]
    • %appdata%529C50D8002841870004330E2830AC72529C50D8002841870004330E2830AC72 (Data file)]
    • %UserProfile%DesktopLive Security Platinum.lnk
    • %ProgramFiles%Live Security PlatinumLive Security Platinum.lnk

  • It creates the following registry keys:
    • HKEY_USERSSoftwareMicrosoftWindowsCurrentVersionRunOnce:529C50D8002841870004330E2830AC72:”%appdata%529C50D8002841870004330E2830AC72529C50D8002841870004330E2830AC72.exe”
    • SoftwareMicrosoftWindowsCurrentVersionInternet SettingsZoneMapDomains:{removed IP Address}

  • It steals user cookies

  • It connects to remote servers to report infection and for contacting fake payment gateways:

    screenshot

  • Some of the alerts generated are shown below:

    screenshot

    screenshot

    screenshot

  • It hooks GetUrlCacheHeaderData in Wininet.dll to redirect users to a fake alert page in Internet Explorer :

    screenshot

  • It repeatedly prompts the user to buy the product:

    screenshot

    screenshot

  • If the user decides to activate the software, it open a fake payment page asking for credit card details and personal information:

    screenshot

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: LiveSecurityPlatinum (Trojan)
  • GAV: LiveSecurityPlatinum_2 (Trojan)
  • GAV: LiveSecurityPlatinum_3 (Trojan)
  • GAV: LiveSecurityPlatinum_4 (Trojan)
  • GAV: LiveSecurityPlatinum_5 (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
Recommended Cyber Security Stories
Yealink Device Management Command Injection Vulnerability
Critical flaw in the Cisco Prime Infrastructure leads to arbitrary file Upload and command execution
Microsoft Windows Media arbitrary code execution-CVE-2016-0101
OpenEMR Reflected XSS Vulnerability
Trojan distributed as 8 Ball Pool game hack (Dec 18, 2015)
MS Windows Media Player Integer Overflow (Oct 23, 2009)
Cybersecurity News & Trends - 08-07-20
Virtumonde windshield malware (Feb 9, 2009)