Rogue security products have been around for some years, and now they seem to be everywhere. In my previous blog about Trojan:Win32/Antivirusxp I talked about the relationships between rogue products and various other threats. One common behavior of rogue products is their ever-changing domain names and user interfaces. Most rogue products emerge and then disappear into thin air. However, a few persist and remain the "big fish" to catch.

This month's addition to MSRT, Trojan:Win32/FakeXPA, is one such rogue, which has been around for months now. The websites that serve this rogue, its code, its user interfaces, its methods of infection, and its behavior have evolved with time.

As Windows users become more familiar with the Windows Security Center interface, the perpetrators are spoofing that interface to take advantage of that budding familiarity. FakeXPA was and is one of the first rogue products to exploit this strategy.  It is interesting to note, however, that the latest rendition actually deviates from the original spoofs and introduce new variations.


Figure 1. Change in Fake Security Center

With the passage of time, FakeXPA updated itself with new techniques of fooling end-users. Codes became obfuscated, and methods of infections became more complicated. Previously, FakeXPA was basically an end product installed by downloaders or exploits, but the most recent versions brought with them Trojan downloaders like TrojanDownloader:Win32/Yektel.A. More about Yektel will be written in an upcoming blog.

Recent variants of FakeXPA started using an installer, which needed internet connectivity to complete the FakeXPA installation. The earlier versions were distributed as standalone installers either downloaded by the user manually or by other malware.

Figure 2. FakeXPA installers

FakeXPA also started to use confusing and convincing names to sell the product. The recent avatars use names like, "Antivirus2009", "Antivirus2010" and "XP Antivirus2008". FakeXPA had been prominent as "XP Antivirus" for a considerable amount of time. One can see slight modifications in user interface over time.

Figure 3. Modifications in UI

The basic user interface of Antivirus 2009 had undergone some notable changes. Other than a new name, the icon changed to make it look more like the security center icon. There were some minor changes in the main product window too.

4.1 Original Security Center Icon

4.2 FakeXPA Icon

Figure 4. Security Center Icon comparison

Figure 5. Antivirus 2009 main window

Antivirus2010 soon came out, and though the UI did not go through that much of a change, this time the code changed quite a bit.The behavior of FakeXPA changed considerably, too, with the new variants becoming more aggressive in the way they scared users.

Figure 7. Fake Blue Screen Warning

Figure 8. Fake Windows welcome screen.

The above images illustrate the persistence of malware authors in wanting users to purchase and use their products. In this case a fake blue screen is introduced pretending that the machine was forced to shut down due to a spyware detection by an "unregistered" rogue AV product.  A fake Windows reboot welcome screen is then followed with a link to the fake AV product for the "registered" version.  These variants also install a driver responsible for intercepting web searches on misspelled or common words (such as antivirus, antivirys, antivyrus, antyvirus) and redirecting them to the FakeXPA variant's webpage. The driver is installed in such a way that any messages about unsigned driver installation are bypassed.

FakeXPA has slowly become a big fish but MSRT is going out to make life of FakeXPA harder and shorter. If you believe you are affected, we recommend you run our freely available online scanner at http://safety.live.com. Do submit a sample to us if you identify any rogues we are not detecting.

- Subratam