Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Developers of the Rogues Virus Doctor and My Supervisor accidentally gave us a toy to play with


  • Please log in to reply
6 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,463 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:18 AM

Posted 03 February 2009 - 06:51 PM

Sometimes when analyzing a new malware you run into something that is just fun to play with. Last night I had this opportunity with two new rogues called Virus Doctor and My Supervisor, both being from the same developer. At another site, a member named Remixed tipped me off to a program called Virus Doctor that could be a new rogue. After visiting the link, examining the web page, and looking up info on the registrar I decided to fire up the executable and see if the program actually classified as a rogue or not. After installing Virus Doctor, I noticed that though it looked like a rogue, it was not showing any false positives when scanning my test computer. Digging deeper I found some URLs embedded in the executable that allowed me to download what appears to be a development version of the program. When I say Development version it means that the normal skin for this program has been replaced with one that contains extra buttons that allow us to trigger events that would normally have been shown randomly. The events that it allowed me to trigger were ads for another rogue program, displaying fake security alerts, and to display nag screens.

Having access to a dev version of a rogue software provides a bit of insight into how the developers are trying to scam the infected users. When a legitimate anti-malware program finds a security problem, it too may display an alert to notify you. On the other hand, we have always known that rogues issue these alerts randomly and without valid information behind them. Having a dev version of a rogue that allows us to trigger these events just validates that the developers are attempting to do one thing and only one thing; scam the infected user into thinking they should purchase their software. They do this by hard coding scary messages about infections, keyloggers, and spam. These messages contain variables that the program can change each time the nag screen or alert is shown so that it looks a bit more authentic. The fact that the programs has buttons to trigger these events means that the events are not being displayed based upon a specific criteria of the machine it is running on, but rather what the developers pre-coded it to display.

Embedded below is an video showing the development versions of both Virus Doctor and My Supervisor. My Supervisor is explained in more detail after the video.



As you may have noticed from the video, one of the buttons on the Virus Doctor dev screen was labeled Promo. When pressing this button the program displayed a pop-up that displayed an advertisement for another program created by the same developers called My Supervisor. If you click on the button in this pop-up, Virus Doctor will download and install My Supervisor. My Supervisor is another rogue program that is packaged as a system optimization suite. When the program is installed it will create a variety of services such as an autoruns manager, a service manager, disk doctor, registry repair, and privacy guard. Just like Virus Doctor, this program will display a variety of false results in order to have you purchase the program. This version of the program is a dev version as well, which further enabled us to trigger various events in the program.

Though having these development versions of the rogues does not necessarily tell us anything we do not already know, it does shed some light into the development process for rogue software and how they deliberately attempt to trick their users. I hope you enjoyed this article and the video as much as I enjoyed writing it. If you are infected with either of these programs, then please use the removal guide below:


BC AdBot (Login to Remove)

 


#2 Lloyd T

Lloyd T

  • Members
  • 853 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:10:18 AM

Posted 03 February 2009 - 07:16 PM

My Supervisor is the most professional-looking rogue I have ever seen. The pop-ups look more professional than AntiVirus 2009's.

Why do rogue developers put alert buttons all over a developer version? Are they used to test any alerts? What would happen if you pressed "Google"?

#3 scff249

scff249

    Indecisive Lurker


  • Members
  • 1,319 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:A galaxy far, far away...
  • Local time:09:18 AM

Posted 03 February 2009 - 07:46 PM

LloydT:

I'm not exaclty a programmer, but I'm guessing that they put it there so that they can test it by executing it manually instead of having it execute automatically (of course, this is purely a guess). If I understand things right from what I know of programming, it's just as simple just to delete the button and make a slight modification to the code to have it automatically execute after a load command (such as the "onLevelLoaded" command in Torque Script).

.....actually, what the heck am I saying? I'm not a programmer.....so I'll shut up right here.

But still.......it's kind of funny to see the dev version of that rogue program :thumbsup:

And now I'll shut up.

Edited by scff249, 03 February 2009 - 07:46 PM.

"Ototo'i wa usagi o mita no...Kino wa shika...Kyo wa anata." -Kotomi Ichinose (Clannad) [see below for translation]
"Day before yesterday I saw a rabbit, and yesterday a deer, and today, you." -The Dandelion Girl
"You are not alone, and you are not strange. You are you, and everyone has damage. Be the better person." -Katawa Shoujo


#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:07:18 AM

Posted 03 February 2009 - 11:13 PM

Sometimes I wonder why these buggy programs even get put out. I know it's malware.. but seriously. That kind of shoddy work is great for us... but still, somtimes I wonder what malware authors are thinking.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,463 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:18 AM

Posted 04 February 2009 - 07:33 AM

They are sloppy, end of story. We found the urls before they were ready to go live and didn't expect people to get their executables yet.

#6 Beenthere

Beenthere

  • Members
  • 118 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 04 February 2009 - 11:32 PM

Oh certainly I enjoyed this Grinler, thank you!

#7 CCRN396

CCRN396

  • Members
  • 505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:18 AM

Posted 05 February 2009 - 11:11 PM

Great article Grinler!!!
thanks....




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users