Fake AV - New tactics ?

Here's an interesting fake AV

When i tried to move the following screenie over to the left to make the image more compact



I immediately got all this !



As i have my comp set up to prompt me for DL's it wouldn't automatically get DL'd, or run I had scripting disabled whilst all this was happening No java on my comp either.



An SWF file is mentioned in the analysis, which i presume that's what the fake scan is. I did have flash enabled, but in the past without scripting enabled i just saw a static image of the fake scan.



They can't seem to get their file names right, compared to the SWF



Vt Result: 9/41

 

Yes, very interesting. It seems to require both Javascript and Plugins enabled to work.

Code:

<title>Warning!</title>

<script src="/11/AC_RunActiveContent.js" language="javascript"></script>

<param name="movie" value="/11/flashH264decoder.swf" />

<param name="flashvars" value="zita=installer.0022.exe" />

<embed src="/11/flashH264decoder.swf" flashvars="zita=installer.0022.exe" quality="high" 

With Plugins only enabled, the scan didn't trigger any download prompt in Opera.

This is because the entire image, which is a Flash object, as you figured out, is clickable. Opera reveals this when the mouse hovers anywhere on the image, so that anywhere you click will start the Flash loading the scan image.

​

R-click anywhere and I see that the image is indeed a Flash object:

​

With Javascript enabled, Opera reveals the downloaded .js file:

​

I think that all browsers will prompt for the download of an executable (.exe) by default in this case, since this isn't a remote code execution attack that exploits a browser vulnerability:

​

One reason I like Default-Deny protection as indicated here, is that there is no chance in a family situation where someone can make a mistake and click to Save/Open. The file will not be permitted to do anything.

One thing missing that makes this exploit less dangerous than ones in the past: preventing the user from closing the current Window/Tab. Here, the the user can do so. You may remember those where it was almost impossible to close out the current session w/o stopping the Process in Task Manager.

----
rich

 

@Rmus

Maybe i didn't word it correctly sorry, but i did NOT have JS/iframes etc enabled, only Flash, and the SWF fake scan still happened. That's why i said "but in the past without scripting enabled i just saw a static image of the fake scan"

Funnily enough, with IE6, and NO updates to it and JS/iframes etc disabled, i get this



Who says it's not safe I went to a favourite safe www where they have flash video clips of news items, and they played fine in IE6 without the Active X prompt ?

 

Can you post a screen shot of the Process Guard alert for this exploit?

thanks,

rich

 

Just for you Put ShadowDefender in shadow mode, and went back to the same www. No alert this time from Avira, guess it's a new version and Prevx no show

In the www page source is this -

Is that, and/or any of the other code on there, indicative of requiring scripting to run the fake scan ? Because as i said, i had JS etc disabled, and again today when i went back to do this. The SWF rubbish still ran as it did yesterday.

DL'd it and scanned it



VT = Result: 2010.07.09 16:30:01 (UTC) 0/40 (0%)

Ran it





Next post

 

Process Explorer showing it started ntvdm.exe



Right clicked on the line for Properties, and initially it wasn't verified ? Clicked Verify, and allowed PE out through ZoneAlarm to MS.



Right clicked ntvdm.exe in PE to kill it and it was still there ? Later i tried again, and this time after doing that i right clicked on the line for Properties



This time NO info on ANY tabs ?

Worked out the cause after launching several times If i click CLOSE on the ntvdm.exe it does. If i click IGNORE it results in lurking !

I thought it might be a "Phamtom" listing ? So i ran Deep System Explorer from DiamondCS the makers of PG.



ntvdm.exe has a history, and not good

Link in there to

Looks like ALL windows OS's vulnerable at some point to this exploit

Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (977165)

I seem to remember reading somewhere about potential vulnerabilities in ntvdm.exe even before the the above MS debarcle. I have a feeling i acted upon advice suggested at the time on how to make it safer etc, Exactly what i don't recall So i'm wondering if that's why this exploit failed to work on my XP/SP2 ?

Havn't rebooted yet, but don't expect to find anything having had SD running which "should" delete everything in this session Also due to the above, even if SD wasn't running i don't think it would have worked !

 

From my way of thinking, Process Guard is not really Default-Deny because the user is prompted for a decison to Permit or Deny, as your screen shot shows:

https://www.wilderssecurity.com/attachment.php?attachmentid=219824&d=1278701745

In my view, this presents problems for the average household where kids might be fooled and try to download such stuff. If the computer is locked down so that only the parents can download executable files, these accidents are prevented.

Again, this particular expoit is quite tame compared to earlier ones, as I indicated.

Several years ago I and others tested various solutions available at that time and only Software Restriction Policies, Geswall, and Anti-Executable were true Default-Deny:

http://www.urs2.net/rsj/computing/tests/remote

I confess to not having kept up with the software security market, so there may be other Default-Deny solutions now.

----
rich

 

AppLocker in Win 7 Ultimate, already built in, though at a premium for the O/S' cost

 

Ticking the option, "AUTO BLOCK NEW AND CHANGED APPLICATIONS" will make ProcessGuard 'Default Deny.'

 

@Rmus

Re ProcessGuard Default-Deny

trismegistos beat me to it

Here's some other handy options it has that can be set per app



Process Guard can also be PW protected from tampering

 

ChromePlus block this malware site