This system protection software won't protect you from itself. (October 5, 2012)

Dell SonicWALL Threats research team received reports of a fake antivirus(AV) malware which was actively spreading in the wild. FakeAV software of this nature continues to be a steady growing trend and has been covered in some of our previous SonicALERTs. Once infected, this software will disable the antivirus notifications and lower the security settings. It will then proceed with its campaign to claim that the system is infected with malware and try to sell the software to the user.

The sample we received was spreading by the name of Delta_A_Ticket_Print_Document

Infection Cycle

• Upon execution it starts communicating with the remote Command & Control (C&C) server

  

• The response to this is a command to stay idle until further notice

  

• Further we see instructions to download an executable file from a link. We saw multiple links in our analysis session

  
  

• We saw a command c=run&u=(URL to malicious executable) following which it downloads a new variant of Fake AV – SystemProgressiveProtection
• We discovered the following commands being used by the C&C server during our analysis:
  
  • Idl
  • Run
  • Rem
  • Rdl
  • Red
  • Upd
• We observed the executable communicating with the following C&C servers:
  
  • 175.41.28.157
  • 178.162.174.134

• The original executable is a downloader/dropper that downloads and runs the FakeAV on the system, it deletes itself and makes a copy in %AllUsers%AppData folder with a random name

  

• The executable begins by creating a svchost.exe process and injecting it with malicious code. We also see an empty text file opened through Notepad and a malicious executable being opened. This executable triggers the FakeAV

  

• The malware adds entries to the registry ensuring it runs each time the system starts
  HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnce[Random Characters]
• The malware modifies the following registry entries to lower the internet security settings HKCUSoftwareMicrosoftWindowsCurrentVersionInternetSettingsZoneMapProxyBypass
  HKCUSoftwareMicrosoftWindowsCurrentVersionInternetSettingsZoneMapIntranetName
  HKCUSoftwareMicrosoftWindowsCurrentVersionInternetSettingsZoneMapUNCAsIntranet
• We see the Fake AV supposedly scan the system and falsely state that the system is infected with different kinds of malware.

  

FakeAV – System Progressive Protection
Once the FakeAV screen appears on the system the following is observed:

• Most of the executing programs are closed
• TaskManager is disabled
• No easy way to close this application as taskmanager is disabled, the user cannot run programs which can kill this process. It even disables right click on its icon in taskbar
• Closes any application which the user opens claiming that its infected



• Notification about system infection keeps popping up at regular intervals if the user closes the main window



• User gets a warning message when he tries to open any site. In this example we got a message saying google.com is a potentially dangerous site

Dell SonicWALL Gateway AntiVirus provides protection against this threat as well as the downloaded executable via the following signatures:

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.