January 19, 2009

Antivirus 2009 Case Study

Overview

Antivirus 2009 is a type of scareware that generates fake antivirus warnings, to trick users into installing malicious software on their computer. This malware is particularly aggressive, in that it demonstrates many of the latest self-protective measures in taking control of the victim computer. Once installed, the application will attempt to force the user to purchase Antivirus 2009, which is a fake antivirus application. Once purchased, the application will then install additional malware on the victim computer.

Infection Source

Most of the observed infections result from visiting a web site that has been compromised. On visiting the compromised site, the user's browser will display two popups, one of which covers the entire screen and emulates an anti-virus scan, and a second, smaller, script generated box that appears to be an antivurs scan report showing an infection. The warning is fake; at this point the user has not been infected.
If the user clicks on either of the popups, the program will install the virus. Internet Explorer, Mozilla Firefox, Opera and Chrome all seem to follow identical infection methods. It is unknown that the installer is able to exploit browser vulnerabilities to force an installation.

Results of Infection

Once the malware has been installed on the victim computer, the malware begins installing supporting software, and attaching itself to several processes. The first step in the infection seems to be the installation of a DNS server and a web server on the computer, which bind to 127.0.0.1. The DNS server will resolve domain names of common antivirus manufacturers to the web server at 127.0.0.1.
The next step appears to be the neutralization of antivirus software installed on the computer. In some cases, this is accomplished by redirecting the update mechanism of the anti-virus application to the fake web server on the computer to deliver empty or corrupt antivirus updates. In other cases, the existing definitions may be infected or corrupted, which results in the antivirus application appearing to work correctly, although it is no longer able to test for certain types of infections.
Finally, the malware attempts to disrupt the user's ability to access the internet. Traffic to security and antivirus web sites is redirected to the malware's internal web server. Opening a browser also triggers warning popups on a set delay. As the malware is able to bind to more processes, eventually the infected computer becomes unusable.
It is important to note an interesting self-defense capability of the malware, which is an executable killer. The malware monitors all processes looking for attempts to install antivirus applications. If such a process is detected, the malware is able to kill the process before installation begins.

Prevention

The best case scenario is prevention. Testing indicates that Kapersky Antivirus, AVG and other packages that include a "Web Shield" type of component are able to prevent infection regardless of browser (I have tested this with Explorer, Firefox, Opera and Chrome) and fully mitigate the attack, with an appropriate warning.

Removal

Removal of the Antivirus 2009 malware is extremely difficult. Most malware will simply prevent the download of new antivirus software (which this malware is quite adept at). This can be circumvented by downloading the antivirus application on a clean computer and burning the software and the latest update file to a CD. However, in many cases this malware will detect the attempt to install the software. It is sometimes possible to prevent this by renaming the installer.
If antivirus is installed on the compromised computer, it will almost immediately come under attack by the malware. It is important to make sure the antivirus software has a self-defense feature to prevent the compromise of the definitions file. In some cases, antivirus software may need to be run dozens of times before the infection is fully cleared. Other times, a full reformat of the hard drive is the only option.
The following sites have detailed information on possible removal options:
Update (1/28/2009): Microsoft's recent Malware Removal update targeted this specific malware. More information about the update and the results of its use can be found here.

No comments: