​We added three new families to this month’s Malicious Software Removal Tool (MSRT): Win32/FakeDef, Win32/Vicenor, and Win32/Kexqoud. In this blog, we will talk about the rogue antivirus family Win32/FakeDef. It’s not a big player in rogues’ world, but it holds its own unique characteristics.

We found this family in the wild in December 2012. Initially it was pushed to a victim's machine by Win32/Fareit variants. This means machines where Win32/FakeDef is found may also be infected with other malware, so it’s a good idea to run a full scan with your security software to make sure everything is caught and cleaned.

Unlike many other rogues, Win32/FakeDef’s infection happens in three stages. As you can see in Figure 1, the first stage is a downloader component that is pushed by other malware, like Win32/Fareit. It installs itself to the %CommonAppData%\pcdfdata folder.

In the next stage this component acts as a downloader that talks to the Command and Control (C&C) server (for example, collectingtabletfriendly.info, as shown in Figure 1). The component grabs and deploys the encrypted rogue component from a location returned by the C&C server as vl.bin under %CommonAppData%\pcdfdata (shown in Figure 1 as sublistsvirus.info).

Communication via agent process

Figure 1. Infection stages of the Win32/FakeDef family.

In the final stage, the encrypted rogue component is loaded. It makes registry changes to associate with .EXE files (so that it will run whenever any .EXE file is launched), and drops additional related files such as icons or configuration files.

As well as the staged installation, we are also interested in the way this family uses the downloader component to communicate with remote servers. This may help the downloader component prevent network traffic being blocked by a firewall or showing up strangely in the log.

To do this, it first creates an agent process. This is the program set to open http protocol - by default it is Internet Explorer, but if another browser such as Chrome or Firefox is installed as the default browser, then it will be used instead. When Win32/FakeDef tries to communicate with remote servers, instead of transferring HTTP requests directly, it injects a piece of code that is in charge of sending requests and receiving responses from the remote server into the agent process. It then waits for the communication to complete and reads the retrieved data from the agent process.

The whole process looks like this:

Communication via agent process

Figure 2. Communication via agent process.

After a successful installation, Win32/FakeDef shows its rogue antivirus user interface and may pop-up fake alerts whenever you try to run a program (because it made itself associated with .EXE file types). The brand shown on the user interface is determined by the operating system version and can include:

  • XP Defender
  • Vista Defender
  • Win7 Defender
  • Win Server Defender
  • Win Defender

The user interface may look like this when it ‘scans’ under Windows 7:

The Win32/FakeDef rogue antivirus user interface

Figure 3: The Win32/FakeDef rogue antivirus user interface.

Win32/FakeDef generates misleading alerts and tries to lure you into purchasing the full version.

You may find it looks like a legitimate antivirus product but it is definitely not. There are more screenshots and technical details on our Win32/FakeDef family description.

Don’t pay when you see it - instead scan your system with the latest MSRT.

Shawn Wang

MMPC