Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New malware secretly uninstalls your Antivirus and then takes its place


  • Please log in to reply
24 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,542 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:33 PM

Posted 03 August 2011 - 03:00 PM

Security researcher Xylitol recently wrote an article about a new malware that performs some tricks to make you think your computer is running normally, when it is in fact infected with a variety of malware. Typically when a brand new computer infection is released, your antivirus program is hard-pressed to update its malware database fast enough to protect you from it. Even if the malware is installed before your antivirus can detect it, the hopes are that once the malware is added to the security software's virus database, it will then be detected and removed.

What is a malware to do then to protect itself from this tactic? Most malware will terminate known antivirus programs and other security programs when they are started. This, though, can quickly become suspicious when various programs you try to run are immediately terminated. This new malware offers a sneakier solution; simply uninstall the antivirus software installed on the computer and then run a malware that pretends to be it. This is exactly what Xylitol found when researching a new Trojan that has been labeled Trojan.FakeAV.LVT.

Xylitol reports that the Trojan.FakeAV.LVT arrives on the system as the filename flash-player.exe. The file is probably named this way to trick people into thinking it is related to Adobe Flash. Once run, it will perform a network test by connecting to a variety of sites such as youtube.com, wikipedia.org, etc to see if you have a Internet connection. It will then download further files and the will search your computer for specific antivirus programs that may be installed. If it detects a antivirus program it will then reboot your computer into safe mode where it uninstalls your current the antivirus program. When it is done uninstalling your antivirus software it will reboot back into normal Windows mode and display alerts that appear to be from your security software so that you think it is still installed and working properly.

Xylitol reports that it currently detects and uninstalls the following antivirus programs:










































Agava Firewall Avast Microsoft Security Essentials
Kaspersky Internet Security 7 Kaspersky Internet Security 2009 Kaspersky Internet Security 2010
Kaspersky Internet Security 2011 Kaspersky Anti-virus 7 Kaspersky Anti-virus 2009
Kaspersky Anti-virus 2010 Kaspersky Anti-virus 2011 AVG Anti-Virus
Anvira AntiVir Comodo McAfee
Microsoft Defender ESET NOD32 Antivirus ESET Smart Security
Dr. Web Norton Antivirus Outpost Firewall
Panda Antivirus    

When I was testing a sample of this malware, I installed a copy of Microsoft Security Essentials and then ran the computer infection. Once the malware started, it quickly displayed an alert with the message "System error! Access denied.", which it is assumed was meant to trick the computer user into thinking that there was a problem running the flash-player.exe program.

System error! Access denied message from flash-player.exe

After some time, the computer was rebooted and started in Windows Safe Mode. While in safe mode it proceeded to uninstall Microsoft Security Essentials and then rebooted back normal mode. Once the computer was rebooted and I was logged in, it displayed an icon (Fake Microsoft Security Essentials Alert icon) in the Windows taskbar that was the same, if not similar, to the icon for the antivirus software that was previously installed. When I clicked on the icon it displayed the following image and text:

Fake Microsoft Security Essentials Enhanced Protection Mode

Microsoft Security Essentials
Enhanced Protection Mode

Attention!
Microsoft Security Essentials operates under enhanced protection mode. This is a temporary measure necessary for immediate response to the threat from virus.
No action is required from you.

To further trick you into thinking that your antivirus program is running normally, it will also randomly display fake update messages stating that your program was updated. The text of this message will be similar to:


Microsoft Security Essentials
Release date of the anti-virus databases:
03/08/11 1:11:29PM
Your system is protected.

When examining the files that this malware installed I see that it installed three different legitimate Bitcoin Miners called Phoenix, RPC, and UFA. Bitcoins are an online currency that currently has a monetary value of 13 USD per Bitcoin. Though these programs are legitimate, they are being used by the malware developer to generate, or mine, Bitcoins for the developer while using your computer's CPU processing power. The program that pretends to be your antivirus software was installed as C:\WINDOWS\update.tray-14-0\svchost.exe, though this path may change per installation. This program also downloads a variety of other malware such as the ZeroAccess rootkit. Last, but not least, the downloader also generates a variety of files in the C:\Windows folder that include:

  • Various malware files - Named sysdriver32_.exe, sysdriver32.exe, and l1rezerv.exe. It also generated hidden folders named C:\Windows\update.[number] that contain more malware
  • unrar.exe - A legitimate unrar program for extracting the Bitcoin miners.
  • phoenix.rar - A legitimate Bitcoing miner.
  • ufa.rar - A legitimate Bitcoing miner.
  • rpcminer.rar - A legitimate Bitcoing miner.
  • geoiplist - A list that can be used to determine an infected computers geographic location based on its IP address.
  • proc_list1.log - A list of processes running on their computer and their associated process IDs.
  • iplist.txt - Xylitol states that this is a list of IP addresses for other infected computers. There were 766 IP addresses listed in this text file.

Without a doubt this malware is a nasty piece of work, but does introduce some interesting methods of income generation and protection routines used by the malware developer and their software. The infection itself, and its downloads, are by themselves not very difficult to remove. Unfortunately, though, it appears to be bundling the ZeroAccess rootkit, which is much harder to remove. Running TDSSKiller may remove the driver portion of the rootkit, but not all of the infection, and thus you may be left with a machine that is partially cleaned.

Therefore, it is recommend that if you are infected with this malware to ask for help in our Virus Removal forum to receive free one-on-one help in cleaning your machine. Furthermore, I have seen many virus removal blogs stating that all you need to do is run various programs such as Spyware Doctor, MalwareBytes, SuperAntiSpyware, Hitman Pro, etc to clean your computer of this infection. Though these programs are all legitimate, the instructions given will not work, so please do not purchase anything in the hopes of a one-shot fix to remove this infection and the ZeroAccess rootkit. It is for this reasons that we are not writing a removal guide for this infection as there is no easy and simple method to remove it all.

Thanks to Xylitol for the great writeup at his blog!



BC AdBot (Login to Remove)

 


#2 Allan

Allan

  • BC Advisor
  • 8,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:03:33 PM

Posted 03 August 2011 - 03:09 PM

You know, as much as I'd like to grab the bastards who write this stuff by the neck and make them cry for their mommies, you do have to give them credit for ingenuity and tenacity. Anyway, thanks for the info Grinler.

#3 Hungry Man

Hungry Man

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 03 August 2011 - 03:29 PM

Excellent and detailed topic. Thank you.

I tested this particular malware and it was a) blocked by Comodo's cloud scanner and B) unable to run properly under the partially limited sandbox.

Scary if your only defenses are an antivirus though considering what happens if a 0day version gets by.

#4 GaGlets

GaGlets

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:08:33 PM

Posted 03 August 2011 - 03:51 PM

Poor me, had to fight with this one before this article, the same message appeared with avast antivirus. But it was so easy to remove with Recovery Console - researched all folders if there was any changes made and deleted suspicious files, then I was able to run anti-virus scanner, and removed rest of them, plus as I am not so smart had to insert windows installation disk to repair some of my mistakes. ;D Thank you for info.

Regards GaGlets

Edited by GaGlets, 03 August 2011 - 03:54 PM.

I made you to read this.

Regards GaGlets

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,072 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:33 PM

Posted 03 August 2011 - 03:57 PM

Amazing... I hate these people.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 JohnWho

JohnWho

    Who was running the store?


  • Members
  • 2,611 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tampa Bay Area, Florida, USA
  • Local time:03:33 PM

Posted 03 August 2011 - 04:30 PM

I'm with you, Boopme.

However, maybe, with this malware we will be able to "follow the money" and lock up the perpetrators.


I know you think you understand what you thought I said,
but I'm not sure you realize that what you heard is not what I meant!


#7 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,680 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:12:33 PM

Posted 03 August 2011 - 08:49 PM

Wow! That's quite something....

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#8 Zestypanda

Zestypanda

  • Members
  • 603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sunny San Diego, California.
  • Local time:02:33 PM

Posted 03 August 2011 - 09:07 PM

I am being helped by boop but I think this bugger got me also, mbam is missing yet shows up in add remove programs list but no where else.

Have a question, or just wanna chat? Send me a message. Or add me as a friend.

 


#9 booterbotter

booterbotter

  • Members
  • 299 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pearl of the Orient
  • Local time:03:33 AM

Posted 03 August 2011 - 11:31 PM

Thanks for the update Sir Grinler. How I wish I can have time reading ASM tutorials so I could also help out on researching these issues. :busy:

Patience is a true virtue. Never give up, never surrender.
BleepingComputer.com Message Board Rules


#10 Required Field

Required Field

  • Members
  • 169 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:33 PM

Posted 04 August 2011 - 08:34 AM

So...if I read this right, this isn't so much scamware, as it's not telling you you're infected and not to buy a rogue product. It's sole purpose is to enlist your computer into an already existing botnet army?
"Most quotes attributed to famous people on the internet are fake." -Abraham Lincoln

#11 herg62123

herg62123

  • Members
  • 553 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montgomery, AL
  • Local time:02:33 PM

Posted 04 August 2011 - 01:50 PM

So...if I read this right, this isn't so much scamware, as it's not telling you you're infected and not to buy a rogue product. It's sole purpose is to enlist your computer into an already existing botnet army?



That is the way I see it :scratchhead:
Posted Image

#12 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:07:33 PM

Posted 04 August 2011 - 03:11 PM

So...if I read this right, this isn't so much scamware, as it's not telling you you're infected and not to buy a rogue product. It's sole purpose is to enlist your computer into an already existing botnet army?


Could be, or because this is the first version of it we've seen it could be a proof of concept type version (i.e. let's check this works in the wild). Newer variants may include backdoor functionality downloading other malware onto the system - which would be dead easy since you'd have no legitimate anti-virus to try and stop it!

Edit: Should have read it fully. It's already doing that:

This program also downloads a variety of other malware such as the ZeroAccess rootkit.


Edited by Casey_boy, 04 August 2011 - 03:13 PM.

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#13 Union_Thug

Union_Thug

    Bleeps with the fishes...


  • Members
  • 2,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:is everything
  • Local time:03:33 PM

Posted 04 August 2011 - 05:41 PM

I #@$%ing despise these people....seriously.

Edited by Union_Thug, 05 August 2011 - 10:31 AM.


#14 wkid

wkid

  • Members
  • 771 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Heart Land
  • Local time:01:33 PM

Posted 05 August 2011 - 09:02 AM

Maybe I missed something. What is the most likely source of this infection? P2P? rogue sites? IM? other?
An ounce of prevention is worth a pound of cure. - Benjamin Franklin

#15 lti

lti

  • Members
  • 581 posts
  • OFFLINE
  •  
  • Local time:01:33 PM

Posted 06 August 2011 - 04:47 PM

It probably downloads in the same manner as the other fake Flash player or video codec downloads. A compromised or illegitimate website will tell you that you need to install the latest version of Flash to view a video, you click Install, and you're infected.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users