Fake AV - New tactics ?

Discussion in 'malware problems & news' started by CloneRanger, Jul 8, 2010.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Here's an interesting fake AV :eek:

    When i tried to move the following screenie over to the left to make the image more compact

    50-1.gif

    I immediately got all this !

    50-.gif

    As i have my comp set up to prompt me for DL's it wouldn't automatically get DL'd, or run :p I had scripting disabled whilst all this was happening No java on my comp either.

    js.gif

    An SWF file is mentioned in the analysis, which i presume that's what the fake scan is. I did have flash enabled, but in the past without scripting enabled i just saw a static image of the fake scan.

    inst.gif

    They can't seem to get their file names right, compared to the SWF :D

    av-.gif

    Vt Result: 9/41
     
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Yes, very interesting. It seems to require both Javascript and Plugins enabled to work.

    Code:
    <title>Warning!</title>
    
    <script src="/11/AC_RunActiveContent.js" language="javascript"></script>
    
    <param name="movie" value="/11/flashH264decoder.swf" />
    
    <param name="flashvars" value="zita=installer.0022.exe" />
    
    <embed src="/11/flashH264decoder.swf" flashvars="zita=installer.0022.exe" quality="high" 
    With Plugins only enabled, the scan didn't trigger any download prompt in Opera.

    This is because the entire image, which is a Flash object, as you figured out, is clickable. Opera reveals this when the mouse hovers anywhere on the image, so that anywhere you click will start the Flash loading the scan image.

    50check_click.gif

    R-click anywhere and I see that the image is indeed a Flash object:

    50check_flash.gif

    With Javascript enabled, Opera reveals the downloaded .js file:


    50check_script.gif


    I think that all browsers will prompt for the download of an executable (.exe) by default in this case, since this isn't a remote code execution attack that exploits a browser vulnerability:

    50check_dl.gif

    One reason I like Default-Deny protection as indicated here, is that there is no chance in a family situation where someone can make a mistake and click to Save/Open. The file will not be permitted to do anything.

    One thing missing that makes this exploit less dangerous than ones in the past: preventing the user from closing the current Window/Tab. Here, the the user can do so. You may remember those where it was almost impossible to close out the current session w/o stopping the Process in Task Manager.

    ----
    rich
     
  3. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @Rmus

    Maybe i didn't word it correctly sorry, but i did NOT have JS/iframes etc enabled, only Flash, and the SWF fake scan still happened. That's why i said "but in the past without scripting enabled i just saw a static image of the fake scan"

    Funnily enough, with IE6, and NO updates to it and JS/iframes etc disabled, i get this

    ie6.gif

    Who says it's not safe :D I went to a favourite safe www where they have flash video clips of news items, and they played fine in IE6 without the Active X prompt ?

     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Can you post a screen shot of the Process Guard alert for this exploit?

    thanks,

    rich
     
  5. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Just for you ;) Put ShadowDefender in shadow mode, and went back to the same www. No alert this time from Avira, guess it's a new version :p and Prevx no show :p

    In the www page source is this -

    Is that, and/or any of the other code on there, indicative of requiring scripting to run the fake scan ? Because as i said, i had JS etc disabled, and again today when i went back to do this. The SWF rubbish still ran as it did yesterday.

    DL'd it and scanned it

    luke.gif pvx.gif

    VT = Result: 2010.07.09 16:30:01 (UTC) 0/40 (0%)

    Ran it

    pg-nvt.gif

    16-1.gif end1.gif

    Next post
     
  6. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Process Explorer showing it started ntvdm.exe

    ntv.gif

    Right clicked on the line for Properties, and initially it wasn't verified ? Clicked Verify, and allowed PE out through ZoneAlarm to MS.

    ver.gif

    Right clicked ntvdm.exe in PE to kill it and it was still there ? Later i tried again, and this time after doing that i right clicked on the line for Properties

    prop.gif

    This time NO info on ANY tabs ?

    Worked out the cause after launching several times :D If i click CLOSE on the ntvdm.exe it does. If i click IGNORE it results in lurking !

    I thought it might be a "Phamtom" listing ? So i ran Deep System Explorer from DiamondCS the makers of PG.

    dcs1.gif dcs2.gif

    ntvdm.exe has a history, and not good

    Link in there to

    Looks like ALL windows OS's vulnerable at some point to this exploit :eek:

    Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (977165)

    I seem to remember reading somewhere about potential vulnerabilities in ntvdm.exe even before the the above MS debarcle. I have a feeling i acted upon advice suggested at the time on how to make it safer etc, Exactly what i don't recall :( So i'm wondering if that's why this exploit failed to work on my XP/SP2 ?

    Havn't rebooted yet, but don't expect to find anything having had SD running which "should" delete everything in this session :D Also due to the above, even if SD wasn't running i don't think it would have worked ! :p
     
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    From my way of thinking, Process Guard is not really Default-Deny because the user is prompted for a decison to Permit or Deny, as your screen shot shows:

    https://www.wilderssecurity.com/attachment.php?attachmentid=219824&d=1278701745

    In my view, this presents problems for the average household where kids might be fooled and try to download such stuff. If the computer is locked down so that only the parents can download executable files, these accidents are prevented.

    Again, this particular expoit is quite tame compared to earlier ones, as I indicated.

    Several years ago I and others tested various solutions available at that time and only Software Restriction Policies, Geswall, and Anti-Executable were true Default-Deny:

    http://www.urs2.net/rsj/computing/tests/remote

    I confess to not having kept up with the software security market, so there may be other Default-Deny solutions now.

    ----
    rich
     
  8. wat0114

    wat0114 Guest

    AppLocker in Win 7 Ultimate, already built in, though at a premium for the O/S' cost ;)
     
  9. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
  10. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @Rmus

    Re ProcessGuard Default-Deny

    trismegistos beat me to it ;)

    Here's some other handy options it has that can be set per app

    pg-.gif

    Process Guard can also be PW protected from tampering :thumb:
     
  11. CiX

    CiX Registered Member

    Joined:
    Feb 22, 2010
    Posts:
    404
    ChromePlus block this malware site :D :thumb: :thumb:
    untitled.JPG
     
Loading...
Thread Status:
Not open for further replies.