FakeAV — a lesson in aggression

Those “Antivirus System PRO” folks are up to their nasty sales tactics again. While its use of a pushy (and confusing!) yes-no no-yes dialog sequence is similar to other fake AV variants, a signature feature involves periodically opening a browser to a sketchy domain — any of porno.org, porno.com, adult.com or viagra.com.

The tactics just get more aggressive from there. The malware hooks several system functions in memory such that;

1. An attempt to start any new process is killed with the following warning:

2. Links from Windows Security Center direct you to the fake AV purchase page (depicted above)

3. You are bombarded with bogus infiltration alerts, like the following:

I concede the pushers of FakeAV are not actually selling anything and are, in fact, committing extortion. However, from the perspective of the would-be duped purchaser, their socially-engineered buy was elicited by the limited-free-trial-edition cleverness embedded within the desired product. I digress.

Interestingly, the authors recognize the suspicion that can be raised by these aggressive tactics and have attempted to reduce it by associating with a known brand — Microsoft. The malware sets up a local HTTP proxy on port 5555 and re-routes all traffic for microsoft.com to the rogue’s IP space.

In particular, notice the domain in the address bar is indeed ‘microsoft.com’ so diligent users can be tricked into thinking the page is genuinely from Microsoft. The use of the local HTTP proxy can allow the malware to redirect browser traffic of any domain to rogue IPs of its choosing. Acting as a man-in-the-middle for HTTP traffic, the malware has full control over the web pages seen. As such, this technique could be further abused to associate other illegitimate content, say a fake pharmacy site,  to legitimate domains (though at the time of writing, only redirection to microsoft.com was observed).

Yet another reminder that once your system is compromised, you cannot take anything at face value.