Thursday, 2 May 2013

Fake Microsoft Security Scam

signage-microsoft
Webroot has detected a new wave of bogus Microsoft-themed cyber scams, looking to dupe web users with bogus security notifications.
The security firm reported detecting a number of scams targeting users with malware-laden messages masquerading as alerts from Microsoft in a blog post on Tuesday.
"Recently we have seen an increase in fake Microsoft scams, which function by tricking people into thinking that their PC is infected," wrote Webroot's Roy Tobin. He added that the cyber crooks use a variety of techniques to get the messages in front of their victims.
"There are a number of ways to figure out that this is a false alert. The first is that it's a website message and not a program; the second is that location of the website will be a random string of letters," he said.
"These websites will normally only stay active for 24-48 hours before they are pulled down. The websites' primary function is to get you to run a ‘removal tool' called ‘security cleaner'. This file is the infection and, if ran, will infect the PC and start displaying pop-ups."
The Webroot researcher said that the scams are not terribly advanced, and as long as users don't click on the malicious messages they will stay safe.
"At this stage [when the message appears], the PC is not infected so it's safe to close the browser and ignore any alerts from the website. Noting the website that displayed the message is good idea as you can notify the webmaster (if it's a legitimate website)," wrote Tobin.
Microsoft is one of many big brands used by cyber criminals to make the phishing messages look more legitimate. Last month, McAfee detected a cyber scam that used Facebook and LinkedIn to spread malware.
At the time of publishing, Microsoft had not responded to V3's request for comment on the influx of new scams using its name.

 Analysis:
With these types of scams there are a number of things to remember.
1.       Microsoft will never call you telling you that your PC is infected
2.       Never allow strangers to connect to your PC
3.       Do not give any credit card info to somebody claiming to be from Microsoft
4.       If in doubt, shut down your PC and call Webroot
The current scam will display a webpage that is very similar to the one in Figure 1. There are a number of ways to figure out that this is a false alert. The first is that it’s a website message and not a program; the second is that location of the web site will be a random string of letters.
More details:
These websites will normally only stay active for 24-48hrs before they are pulled down. The websites’ primary function is to get you to run a “removal tool” called “security cleaner”. This file is the infection and, if ran, will infect the PC and start displaying pop-ups (like the one in Figure 2).
browser_alert
Figure 1: Fake Alert
At this stage, the PC is not infected so it’s safe to close the browser and ignore any alerts from the website. Noting the website that displayed the message is good idea as you can notify the webmaster (if it’s a legitimate website).
I have seen examples of this type of fake webpage being linked from advertising links. Using a browser that has a pop-up blocker will reduce the likelihood of encountering a bad advertising link. With scams like this, the most important way to stop getting infected is to be diligent when you’re online.
If a website asks you to run a file that you haven’t asked for, be extremely cautious. The same goes for emails (even from friends). Do not open executable files unless you are 100% sure they are good.
FakeAV
Figure 2: Fake AV Pop-up
Behavior:
The info below is only a guideline as the payload can change. However, it follows the same pattern of dropping a fake AV that stops you from opening most programs.
  • Drops a randomly named file in the current users folder (Fake AV payload)
  • Creates a service for the above file
  • Disables Windows Firewall or modifies the settings to allow the file full access to the PC
  • Creates a number of files in the windows recycler folder (usually Zero Access)
  • Flags any opened program as an infection (by modifying the open shell reg key)
  • Fake AV will then prompt the user to pay to remove the detected “infections”
Webroot Detection logs:
Infection detected:
c:\users\owner\appdata\local\microsoft\windows\temporary internet files\content.ie5\wckxi56g\security_cleaner[1].exe
MD5: 68D9F9C6741CCF4ED9F77EE0275ACDA9
Detection rate of the file 28/46 Vendors on Virus Total.
Registry Changes:
Below is an example of some of the changes. The first shows how it modifies the open shell command so when you open any file it will run the Fake AV. The second shows the security center notifications that are disabled.
hkcr\w1\shell\open\command”C:\Users\User\AppData\Local\gpt.exe
hklm\software\clients\startmenuinternet\iexplore.exe\shell\open\command
HKLM\SOFTWARE\Microsoft\Security Center  AntiVirusDisableNotify   00000001
HKLM\SOFTWARE\Microsoft\Security Center  AntiVirusOverride   00000001
How to protect yourself from these scams:
There are a number of ways to ensure your PC is protected from these types of scams. The first step is simply being aware that these scams exist! Also, make sure to:
  • Use Webroot Secure Anywhere
  • Keep Windows updates turned on and set them to automatically update
  • Use a modern secure browser like Firefox  or Chrome
  • Update any 3rd party plugins (Java/Adobe Reader/Flash player)
  • Use an ad-blocker add-on in Firefox/Chrome
I have seen a number of infections that would have been prevented if Windows was up to date. Microsoft is constantly updating Windows to patch various security updates.
Removal:
Webroot SecureAnywhere automatically blocks the installation of the infection so it won’t even run (Figure 3).  If the PC has no AV software installed, booting into Safe Mode with networking and installing Webroot Secure Anywhere will remove the threat.  Manually removing this threat is possible; however, there may be some system damage that will need to be repaired.
Webroot support is always available to help with removal and questions regarding this infection.  Please visit the Webroot support web site for more detail at: http://www.webroot.com/support/.
WSAremoval
Figure 3: SecureAnywhere Removal

No comments:

Post a Comment