Chameleon-like fake AV delivered via clever social engineering

A very complex and likely very efficient fake AV spreading campaign has been spotted targeting Facebook users.

It starts with users being apparently contacted by one of their Facebook friends via the social network’s chat feature. “Hi. How are you? It is you on the video? Want to see?” asks the “friend” and offers a link to a YouTube page.

The user, intrigued, follows the link, and sees that the video (with his name in the title) has apparently been commented on – positively and negatively – by a bunch of his Facebook friends. But, he can’t see it – “You need to upgrade your Adobe Flash Player,” it’s written over the blank space where the video is supposed to be.

And the comments seem to indicate that following the download link is safe:

Unfortunately, it is not – the file he downloads is Trojan.FakeAV.LVT.

“It copies itself as %windir%\services32.exe and as %windir%\update.X\svchost.exe, where update is a hidden directory and X is the version of the malware,” explains BitDefender’s Loredana Botezatu. “After that, it adds a registry key in %SYSTEM% and the malicious code is added thus to the list of authorized applications for the firewall or it disables the firewall altogether. Then it proceeds to disabling all notifications generated by the firewall, the update module and whatever antivirus it finds installed on the PC.”

But this piece of malware is not your typical fake AV solution with a bogus name. This one has the ability to detect which legitimate AV solution the user has installed on his computer and to display personalized warning message windows that mimic the ones that this legitimate solution would present.

Of course, it “finds” a virus on the system, and asks the user to reboot the computer so that it can clean it up.

Unfortunately for the users, the reboot triggers an unwelcome series of events: the system boots in safe mode, which allows the malware to start and uninstall the legitimate AV solution, and then the system is rebooted once again – this time in normal mode.

But that’s not the end of it. This unprotected system is now ready to be misused by a downloader component integrated in the Trojan, which downloads further malware from an array of URLs, depending on the OS running on the computer.

“The malware contains a hardcoded list of IPs, as well,” says Botezatu. “These are the IPs of other infected systems which will be used at exchanging malware between them, creating a fully-fledged malware distribution system with peer-to-peer update capabilities. These IP lists are changed regularly and so infected system are always in contact and constantly exchanging malicious code.”

Don't miss