Google Talk used to distribute Fake AV

Filed Under: Malware

When speaking in public and delivering presentations, I am often asked "Why would they want my Google/Yahoo!/MSN/Facebook credentials? It's only a throw-away email address."

These services have transformed from simple webmail and messaging experiences into fully integrated platforms for video, voice, instant messaging, photo sharing, and of course social networking. As Google learned from the launch of Google Buzz, not everyone wants everything tied together in one place with Mark Zuckerberg-like openness.

Bot GTalk messageMaria Varmazis, a colleague from our Boston office, got to experience what happens when a friend's account is compromised. When she logged onto Gmail, she got a pop-up message from someone she regularly chats with: "Hey are you on Facebook ??? If u are then check this out ". Wisely, Maria didn't click on the link and instead passed it on to me to investigate.

The link led me to a web page that had some dancing stick people and a link that read, "Click on the picture to download my party pictures gallery. . . (Click Open or Run when prompted.)".

Of course I wanted to view this party picture gallery. . . Past experience tells me the best pictures are taken after 11pm at parties. When I clicked the image, Internet Explorer presented a download prompt for a file called my_image_gallery.scr.
Screenshot of file download

SAV Alert FakeAV-BTWhen I tried to run the file, Sophos Anti-Virus notified me that it detected a virus, Mal/FakeAV-BT, and that it quarantined the file.

You''ll notice the size of the file was only 25K. This file, like many other fake AV programs, is simply a downloader that later retrieves its payload of malware. This allows the controllers of the botnet to decide which malware to place at the destination web page, and gives you another chance to prevent the attack by using web filtering.

Screenshot of Sophos Anti-Virus detections Had SophosLabs not already published an identity for this FakeAV, our integrated HIPS (Host Intrusion Prevention System) technology would have prevented infection as well.

HIPS detected the file's behavior as HIPS/ProcInj-003, indicative of malware trying to inject itself into the Internet Explorer browser.

Another thing I noticed was that all of the files were in areas that did not require administrative privilege. This is a technique in greater use since Microsoft's addition of User Access Control to Vista and later versions of Windows. This was one of the main reasons I got the results I did when testing Windows 7 against the latest 10 threats.

Screenshot of Sophos quarantine

This attack once again shows us the importance of defense in depth. An administrator for an organizational network has several chances to prevent this infection:

  1. Education. Teach end users how to spot something out of the ordinary, to avoid clicking links in IMs, and what techniques are used in social engineering.
  2. Anti-virus. As Virus Bulletin regularly demonstrates, the majority of up-to-date anti-virus products protect against most in-the-wild threats.
  3. Proactive protection. Using heuristic, behavioral and other techniques provides protection against malicious code that may not yet be detected by your anti-virus definitions.
  4. Web filtering. Both the site offering malware for me to download, and the one that was luring me into clicking the picture were blocked by the Sophos Web Appliance as malicious. Our web appliance also scans all your downloads for malware, and lets you disable downloading of dangerous filetypes.

Unfortunately, quite often our friends may not really be our friends. Use this as a reminder to stay vigilant and warn others about this type of attack.

, , , , , ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.