Antivirus Security Pro FakeAV Downloader – Onkods (Nov 8, 2013)


The Dell SonicWall Threats Research team has observed multiple variants of a new FakeAV downloader Trojan being actively spammed in the wild. The FakeAV downloader also known as Onkods arrives as an e-mail attachment pretending to be a JPEG image. It downloads and installs a new FakeAV Trojan Antivirus Security Pro when an unsuspecting user opens the e-mail attachment. The Downloader and FakeAV Trojan utilizes multiple anti-debugging and anti-detection techniques to prevent heuristic detection and automated analysis.

Here is a list of e-mail subjects and attachment names from various spam e-mails that were captured over the last week involving Onkods Trojan:

Sample e-mail messages look like below:

Infection Cycle:

A closer look at the Onkods Downloader Trojan binary revealed that certain API calls and Windows Library names were encrypted to deter heuristic detection. These are network activity and filesystem activity related API calls that are decrypted on runtime.

  • Encrypted API Calls
  • Encrypted Decrypted
    JHo@pNEE]dGoY InternetOpenA
    JHo@pNEE]dGoMe{^ InternetOpenUrlA
    JHo@pNEEQxMr}_vqwqf InternetCloseHandle
    JHo@pNEE@qCe^~{z InternetReadFile
    @T~DvEpC}wGrkV CreateProcess
    @T~DvEfX~qc CreateFileA
    TTrQgfI]w WriteFile
    @JtVghA_vxG CloseHandle
  • Encrypted Windows Library name
  • Encrypted Decrypted
    tOuLlET.vxn wininet.dll
    HCiKgL.pNm Kernel32.dll

If the user opens the attachment, it connects to a predetermined remote server to download the FakeAV Trojan. The downloader uses a custom User-Agent string as seen below:

The server hosting these FakeAV Trojan binaries are located in Lithuania. It then runs the downloaded executable which will begin the FakeAV infection cycle.

Antivirus Security Pro

The FakeAV Trojan checks for the presence of any of these two files c:sd.dbg and c:sd2.dbg and terminates itself if found. It also checks for the presence of Virtual environments like Virtual Box, Virtual PC, VMWare, and Qemu before starting the infection cycle. While we have seen many other malware families that are VM-aware, this is unique as it uses more discreet API calls – SetupDiGetClassDevs, SetupDiEnumDeviceInfo, and SetupDiGetDeviceRegistryProperty to enumerate hardware and detect the Virtual Environment as seen below:

It disables the Microsoft Windows security and update processes by running these commands:

It then displays a fake Windows Security Center alert searching for a solution to fix virus activity which is followed by Antivirus Security Pro scanning:

The following screens show the usual Fake Antivirus scareware tactics:

  • Fake scanning and infection alerts.
  • Blocks legitimate programs from running.
  • Prompts user to buy upgrade to cleanup infection.

We were able to extract the following affiliate ID, payment gateway, and support URLs during our analysis:

Dell SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Onkods.S (Trojan)
  • GAV: Kryptik.BLMB (Trojan)
  • GAV: FakeAV.BLMB (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.