Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
Back in August 2009 we added a rogue called Win32/FakeRean to the list of families removed by MSRT. At the time, I wrote about how it used several different names, like Home Antivirus 2010 and PC Antispyware 2010, which all looked pretty much the same. This is a trick used by most modern rogues; I covered it in some detail in my presentation at Virus Bulletin conference last September. Alongside the use of different names, we've seen some rogues introduce different versions for different operating systems. FakeRean now uses individual names and looks for Windows XP, Windows Vista and Windows 7; however, rather than distribute multiple versions for each of these three platforms, FakeRean's creators have taken an all-in-one approach. The latest version of FakeRean chooses randomly from a list of 11 names each time it is installed. It then inserts a string into the name that is dependant on which version of Windows it is running on. The result is that a single version of the rogue can use any one of 33 different names:
Along with each name comes a slightly different user interface to match, but for the most part they are very similar. Here is the fake scanner on Windows XP:
This is what it looks like on Windows 7:
The exception is when it comes to interface elements that imitate parts of the operating system. On Windows XP, for example, FakeRean displays an imitation of Windows XP's Security Center:
When running on Windows 7, it displays a fake copy of the Action Center:
(Note that the above screenshots and the list of names are all from one sample of FakeRean, SHA1: 4fbd83a86dbefa058f3f33c4b950159b8882635a). This is another example of the increasing sophistication of this type of malware. FakeRean has also introduced another way of ensuring it is automatically started. It modifies the registry to associate .exe files with its own executable, so the rogue is run whenever any program is launched. Unlike other rogues, such as Win32/FakeScanti, it doesn't just use this technique to block other programs from running, but if the rogue is removed without restoring the registry then .exe files can no longer be run. The EXE file extension needs to be re-associated in order to restore normal functionality. Please see our encyclopedia entry for further detail. -Hamish O'Dea