Win 8 Security System FakeAV with Rootkit discovered in the wild (Sep 7, 2012)

Dell Sonicwall UTM research team have discovered a new FakeAV malware in the wild called Win 8 Security System. FakeAV malware of this nature has been covered before in a previous sonicalert. However, this FakeAV malware is different in that it deploys a rootkit driver as part of its infection process. This makes the malware very difficult to remove.

Although the sample we obtained failed to show any pop-up dialogs we were able to gain information about its intentions through our analysis.

The Trojan uses the following icon:

Upon infection, the Trojan deletes itself. It then makes the following changes to the filesystem

It copies itself to:

• %APPDATA%72706355694bcd40.exe [Detected as GAV: FakeAV.WN8 (Trojan)]

It drops a rootkit to:

• %WINDOWS%system32drivers2a236245d0309b5.sys [Detected as GAV: Rootkit.X (Trojan)]

The file attributes of the rootkit are set to protect it from modification or deletion even in safe-mode.

It adds the following key to the Windows registry to enable startup after reboot:

• HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “%APPDATA%72706355694bcd40.exe”

A sample of keys added to register the rootkit driver:

• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_2A236245D0309B5000 Service “2a236245d0309b5”
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_2A236245D0309B5000 Legacy dword:00000001
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_2A236245D0309B5000 ConfigFlags dword:00000000
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_2A236245D0309B5000 Class “LegacyDriver”
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_2A236245D0309B5000 DeviceDesc “2a236245d0309b5”
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_2A236245D0309B5000Control ActiveService “2a236245d0309b5”
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_9DC9B000 DeviceDesc “72706355694bcd40.exe”

The following HTML pages were extracted from the 72706355694bcd40.exe executable during analysis. The pages are used to hook into various browsers such as Internet Explorer and Google Chrome and produce a fake security alert:

We also extracted the following landing pages from the executable:

• http://st777st.com/z.php?ver=2
• http://win8sec.com/?do=payment&ver=2
• http://win8sec.com/?do=minicontact&ver=2

The following screenshot is from the payment landing page:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

• GAV: FakeAV.WN8 (Trojan)
• GAV: Rootkit.X (Trojan)

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.