The big fish is back. Rogue security products have long been targeting Microsoft's Security Center and using other Microsoft imaging or logos to falsely lure users to buy and use their products. We now welcome Symantec, Webroot and Sophos to that esteemed crowd.

The new avatar of Win32/FakeXPA (currently as Anti-virus-1 and may soon change) is taking over from the Antivirus2010 sub-variants and bringing on some more aggressive social engineering strategies. The malicious domain keeps on changing, and the latest website serving the installer can be found by going to the following address <malicious IP>/admin/cgi-bin/get_domain.php?type=site/download

fakeXPA hex
Figure 1. Rogue domain path

In my previous blog, I mentioned about web search interception on misspelled or common words, and redirection to Win32/FakeXPA variant's webpage. This time, the process gets more sophisticated. In addition to the existing web search interception, the latest avatar also modifies the user's hosts file. As of the latest sub-variants, the search engines targeted are Live.com, MSN.com, Google.com and Yahoo.com and the targeted keywords remains same.

The big fish was not done yet, and went ahead to even work on a much more real "user experience" with the search results. The following image shows what the user will see once a search is requested with one such misspelled word.


Figure 2. Fake search results

Everytime a search is requested on the common keywords, the original results are intercepted because of modified hosts file and user is presented pseudo-search results containing "fake reviews" of the rogue product.

To keep on playing on user's trust and continuing the experience, each review is further spoofed and targets prominent Reviewer Websites and Security Products.


Figure 3. Original NIS 2008 review -
http://www.pcmag.com/article2/0,1895,2180643,00.asp


Figure 4. Fake Antivirus2010 review


Figure 5. Original Webroot Spy Sweeper 5.2 review -
http://reviews.cnet.com/search-results/webroot-spy-sweeper-5/4505-5_7-32135428.html


Figure 6. Fake Antivirus2010 review

One such fake review calls the Antivirus2010 is from Symantec (figure 4) - Symantec continues to polish and enhance its flagship Antivirus2010 suite and then another (figure 6) calls Antivirus2010 now includes some (but not all) aspects of Sophos antivirus engine.

If fake blue screen warnings and fake windows welcome screens were targeted towards scare tactics, then these latest strategies are aimed more on Users' Trust and "real-life" experience. Microsoft has been a continuous target, but it seems we will not be the only one anymore.

And finally if there was not enough proof about where from this all originates, maybe the following information can throw some more light. We have investigated further and the following information related to FakeXPA we found out was not a surprise.

City: Kyiv
Country: Ukraine

Here are some of the SHA1 hashes for the latest variant:

  • 2779eeb4bfa9e269d47baaf780e098c23f1f645c
  • 555465148fc253382174bb1bb8f8a0f3454f97cb
  • 7fdde1f1953dde30b5f30225feae965b1869791e
  • 3acdd55a55289c9bac928a711007917d6d7d1a65

Microsoft continues to remain on top of Win32/FakeXPA and our customers are protected from this latest Win32/FakeXPA sub-variant. Microsoft Malicious Software Removal Tool removed Win32/FakeXPA and Win32/Yektel infections from over 400,000 machines during first week of December release, more information in a previous blog post. Get the latest definitions from our portal and if you identify any rogues we are not detecting, do submit a sample to us.
 
--Subratam Biswas