Initially it was "System Defragmenter", then "Scan Disk" and now it's called "Check Disk". While the name will most certainly change again, the main goal of Trojan:Win32/FakeSysdef will surely remain the same: to trick you into buying a piece of software that does nothing except scare you with fake warnings, critical "errors" and other "problems".

As the name suggests, this malware imitates a hard disk defragmenter. It will pretend to scan your computer for problems such as: it "checks" if your hard disk is working correctly, "defragments" it, and even checks the health status of your RAM and GPU (Graphic Processor Unit). Of course, once you start checking for problems using this 'program' it is going to “find” a bucketful of them:

  • Bad sectors
  • RAM fragmentation
  • Registry errors
  • Very high CPU/GPU temperature
  • RAM failures

"System Defragmenter"

Image 1 – “System Defragmenter” iteration of FakeSysdef

 

Apparently all those problems can be resolved by just running the "defragmentation" function on your hard drive; unfortunately that component is not "enabled" and to enable it you need to buy the full version of the product. You kind of expected that right?

If you choose not to buy the product, it will just stay in your status bar and will remind you every few minutes that your computer has problems that should be fixed.

Even though this malware is relatively new (only appeared 2 months ago) it has already passed through various iterations.

We encountered the first sample on the 6th of October 2010; it came disguised as a fake Windows update which required the user to enter his user name and password in order to apply the security patches. The author even went to the point of translating the fake update messages in French, German, Spanish, and Italian in an attempt to appear as authentic as possible when running on a computer not running an English version of Windows. Once given the information, it installed the fake defragmenter program and errors started pouring in.

At this point the installer malware came in an unprotected form: no actions were taken in order to evade antivirus detections, no code obfuscation applied to make analysis more difficult. This makes us think it was a trial run, made just to test the waters to see how it handled once in the wild.

"Windows Update" installer for FakeSysdef

Image 2 - "Windows Update" installer for FakeSysdef

 

We spotted a new variant on the 10th of October 2010; it had the same icon as Windows Update but no Windows Update message was shown. The malicious code was installed silently and ran in the background until the user tried launching an application at which point a "system error" occurred. The approach evolved at this point:

"System Error!"

Image 3 - "System Error!" message displayed by FakeSysdef

 

  1. Authors decided to be less obvious: since an advanced user would get suspicious if a new application started scanning for problems all of a sudden, now the malware changed so that it waits for user interaction.
  2. The Defragmenter is hidden under multiple layers generated by 2 executable protectors/packers ("Stealth PE" and a custom packer encountered in other malware) to make detection and analysis more difficult. Fortunately we easily bypass this technique in our products.
  3. The malware now deletes its original binary showing the intent of the authors to hide their tracks.

On the 27th of October we saw another version. It was distributed standalone and used stolen file information and the icon from the file utilman.exe, which is present in Windows XP. This seems to be a major update where they tried to improve the resistance to analysis tools and AV products:

  1. The file won't run in a virtualised environment; and
  2. The file is protected with a custom-made packer only which employs anti-emulation code to stop AV products from analysing the file.

On the 15th November a minor update was released. The software used the name "Scan Disk" probably due to the attention it slowly started getting. Again they invested heavily in code to fight AV detection. They reverted to the original defragmenter icon and to the original behaviour of showing the interface scanning for errors.

"Scan Disk"

Image 4 - "Scan Disk" iteration of FakeSysdef

 

On 21 November a new version was released. The current move was to switch the name to "Check Disk", which has a familiar sound to the pronunciation of a legitimate Windows tool named “chkdsk.exe” (“chkdsk.exe” is used to legitimately identify and correct various problems of the hard drives). This was a move clearly directed at fooling inexperienced users. The code was also updated to evade antivirus detection. Fortunately our products, such as Microsoft Security Essentials, can detect all these versions.

"Check Disk"

Image 5 - "Check Disk" iteration of FakeSysdef

 

We are sure we'll be seeing more changes from Trojan:Win32/Fakesysdef in the future, changes that we will closely monitor and detect to protect our users.

 

Below are example SHA1 hashes for the malware discussed in this blog:

cadacb248411c287822b2b09d6fff301a0f294a8
5a69f5fa043d2f5141226d10cb67d6d2a2d59f4a
d7195878d15c0e294101c5385b402b75885216f8

While writing this blog, a new version of the malware was encountered, “Win HDD” with the following SHA1:

1905DE84FBA23A9152317A7F7C0BE7D1B3F07D70

 

Daniel Radu & Marian Radu
MMPC Dublin