Fake-Alert Tour Driven by Malware Team
Thursday December 4, 2008 at 11:00 am CST
Posted by Nandi Kishore
Fasten your seatbelts, for today we take you on a tour of fake-alert Trojans that have been doing rounds in the Internet lately. On this tour of various malware stations you’ll be taken to a system infected by a fake/rogue anti-virus application. Below is an example of a method implemented by such malware to infect a machine.
Here is your itinerary:
Station 1: Malicious web page that hosts a malware
Station 2: Browser helper object
Station 3: Fake/rogue anti-virus application downloader
Destination: Fake/rogue anti-virus application–infected system
The journey starts with a malicious web page that hosts a malware. Users reach these malicious pages through social engineering techniques such as a link via email/instant messanger, or redirection from a compromised legitimate website. A single click on these links will start the infection.
Upon visiting the malware-hosting web page, the user “buys a ticket” in the form of an executable file downloaded onto the system through some social engineering technique.
On our example tour,
- http://best[blocked]tube.net
When users visit the page above, they’re asked to download wmcodec_update.exe, which pretends to be a codec plug-in for Windows Media Player. A message box pops up repeatedly until users download the fake plug-in file, which is a Multi Dropper malware.
Upon execution, the downloaded file pops up a fake error message, as shown below:
The malware continues to execute and drops
-
Browser helper objects
- Fake/rogue anti-virus application downloader
Our “tourists” now move to the next station, the browser helper object. At this station, the victims’ browsers are compromised. For example, a user’s search queries are manipulated to contain a link to another malicious web page. The following two images show the difference between a “clean” search and one made after a link to a malicious web page has been injected by the browser helper object. I have highlighted one malicious site; try to find five differences between the two images. 
Before injection of the URL:
A compromised browser–after injection of the malicious URL:
Many spyware applications use browser helper objects to capture the surfing habits of users. This information is used later by the malware authors for pop-up ads relevant to search keywords, for example.
The next station on our tour is the fake/rogue anti-virus application downloader. Here users see two magazines, which are links to porn sites, on the desktop.
The fake application is downloaded without user intervention by the “fake” downloader. Finally the users systems are infected with a fake application malware.
At this point, users see a bogus alert from the fake application.
Scanning through the report generated by the fake app reveals that this report is exaggerated and false.
The fake-alert malware displays spurious alerts to entice users into buying products to “repair” the system from the fake, exaggerated threat.
Did you enjoy your fake-alert tour? Today, malware often work as a team to infect computers. In this tour, we saw a malicious web page hosting malware, Multi Dropper, a browser helper object, a downloader, and a fake alert work together for a common goal.
As always, we advise you to take precautions with fake plug-in downloads that loop infinitely–without giving you a chance to close that message box. Try to kill such processes of spurious messages through the Task Manager. Be careful about the links in your email, especially in anonymous mail and links in instant messages. Always practice “safe surfing,” which is the first step in keeping your computers clean.
December 4th, 2008 at 2:46 pm
Congrats Kishore on your inaugural vivid and self interpretable blog composed with flamboyant images
December 5th, 2008 at 7:05 pm
Obviously Mcafee is aware of these fake security apps. When will a Mcafee scan be able to remove them? I do tech support and talk to customers every day who have McAfee software but the scamware was not removed by a Mcafee scan.
December 8th, 2008 at 8:34 am
I believe this is what has happened to my computer just last Thursday!! I just can’t figure out what I did to get it.
Anyway, what is the fix?
Thanks,
Carol
December 15th, 2008 at 1:03 pm
This happened to my PC last night as well, so what is the fix?
December 20th, 2008 at 9:37 am
I have been infected with this. I was able to get the files out of the system folder and the virus no longer executes. This was done by finding the supicious files in windows system folders and finding the five files there were brand new - last modified on 12/18/2008.
My problem is that a registry key still exists which loads Fake Alert on start up. Immediate I open IE to my homepage and run spyware scan. It finds the trojan and removes it. Everything works fine until my next start up.
My major problem is what is happening at start up. This rogue registry entry is causing McAfee to peg my processor at 100% on start up, which usually freezes my computer. It can take two or three start ups to get a working system, and then spyware scan to remove the trojan.
PLEASE tell me where to find this dang key in my registry? Or how to disable it on start up? I’ve taken this opportunity to clean up my registry, to modify my start up configurations and everything. But I still get this dang thing loading. At least with the files out of the system folder I am not getting the gay fetish icons on my desktop.
That is how I got infected to begin with. My wife saw those icons pop up and clicked on them. The ever curious and suspicious wife, wondering if somehow, after 10 years, I have suddenly become gay. Brilliant tactic by the hackers.
December 22nd, 2008 at 7:52 pm
This has been happening my computer too! I’ve downloaded Antimalwarebytes and done several scans, as well as used NVT Rogue Software removal, Spybot, and Smitfraudfix scans to try to get my computer rid of the ads. I keep getting bogus anti-virus program popups though! I don’t know how to make them stop. I would love a fix!
Thanks!
December 27th, 2008 at 12:40 pm
My patience with WinDoze has run out. Microsoft made billions off an obviously defective product. IMHO, MS will never be able to secure their software, because of inherent architectural weaknesses.
I, too, would love a fix. The closest I can come to that is transition to using Linux- & Mac-based systems. Not ideal, and *certainly* not “100% malware free”, but not as much of a ROYAL pain in the ass as MS-based systems, either.