Fake out

Recently, I was analyzing a file that had come in, and at first it looked like a standard downloading Trojan. Not very interesting, right? 

But instead of immediately writing a detection and moving on, I let it continue to run for another 20 minutes or so, and much to my surprise, the rest of the payload dropped. Now this isn’t the first bit of malware to ever have a delayed payload, but the images and files were what made Troj/FakeAle-AW entertaining.

First off, it dropped a bunch what appears to be a bunch of files associated with 180Solutions, HotBar, Seekmo, etc. While the file names were the names of components associated with those potentially unwanted applications, the files were in fact files full of random data. It then had the warning in the system tray saying

   ‘Warning: Spyware threat has been detected on your PC.
    Your computer has several fatal errors due to spyware activity.

    It is strongly recommended to install an antispyware software to close all security vulnerabilities.

    Antispyware software helps protect your PC against spyware and other security threats.


All of these of course lead to a rogue “antispyware” site.

The images were very creative:

Fake Microsoft Security Alert

The link of course leads to the rogue software site. But I do admire the effort the author put in to make it. It added some interest to an otherwise boring bit of malware.

 Another fake alert

This was the other alert. Again, it was interesting to see the effort.

Nevertheless, here’s hoping folks won’t fall for it.