Rogue antivirus software has been a part of the malware ecosystem for many years now – Win32/SpySheriff and Win32/FakeRean date all the way back to 2007. These rogues, and the many that have followed them throughout the years, generally mislead and scare users into paying a fee for "cleaning" false detections that the software claims to have found on the machine. They often use dozens of different brandings and name combinations in an attempt to hide, cover their tracks, and avoid our detections, all so the makers of the rogues continue to make revenue.

Lately we're seeing a dropping trend in the telemetry for some of the once most-prevalent rogue families, such as Win32/Winwebsec, Win32/OneScan, Win32/FakeXPA, Win32/FakePAV. Figure 1 shows this downward trend over the past year.

Figure 1: Monthly telemetry for top rogue families

 

This downward trend is also seen when looking at the top 10 rogue families per region.

Figure 2: Top 10 rogues in the Asia Pacific region

 

Figure 3: Top 10 rogues in the Europe, Middle East, and Africa region

  

Figure 4: Top 10 rogues in the Latin America region

 

Figure 5: Top 10 rogues in North America

 

It's likely this has happened due to the antimalware industry's intense targeting of these rogues in our products, and better end-user awareness and security practices. In particular, greater education about the social engineering technique the rogues use, and the large number of legitimate, free antivirus products available on the market appear to have had an impact on a user's willingness to pay for such pests. 

However, since the big malware "players" are having more trouble in taking advantage of users paying for fake security products, and are moving away from this kind of social engineering, we are seeing other players willing to fill the gap – luckily with small impact.

In the past we've regularly seen rogues use the hosts file to block access to a legitimate security product's websites to deny users protection against the threat.

Rogue:Win32/Defru has a different and simpler approach on how to trick the user and monetize on it. Basically, it prevents the user from using the Internet by showing a fake scan when using different websites.

When the user is browsing the Internet, the rogue will use the hosts file to redirect links to a rather infamous specific fake website (pcdefender.<removed> IP 82.146.<removed>.21) that is often used in social engineering by fake antivirus malware (see Figure 2).

The mechanism is depicted in the following picture when the user accesses Bing. Note how the user will still see the name of the site they were trying to access in the address bar.

Figure 6: Browser page where the user is redirected when accessing Bing

 

Rogues often target specific countries or regions. Defru appears to be targeting Russian speakers, as evidenced both by its warnings and infection telemetry:

Figure 7: Infections of Rogue:Win32/Defru in August 2014

 

The first message tries to imitate a Windows Security message which says (we've translated it from Russian here):

"Detected on your computer malicious software that blocks access to certain Internet resources, in order to protect your authentication data from intruders the defender system Windows Security ® was forced to intervene."

The website promises a system clean, access to webpages, daily updates, and access to "Windows Security" and "Windows Defender", as in the following figure:

Figure 8: Translated fake scanner page

 

It will appear as a constant nuisance for the user as they try to access their desired website. We have a list of the websites it targets in the Rogue:Win32/Defru description – the list is over 300 entries long.

An unsuspecting user, after receiving this warning more than a few times when browsing, might be inclined to click "Pay Now". This will lead them to a payment portal called "Payeer" (payeer.com) that will display payment information (see Figure 3). It's linked to galafinance.com – a website that displayed a "Temporary busy" text when accessed and now is offline.

Figure 9: Payment service used by Win32/Defru

 

But of course, even if the user pays, the system will not be cleaned.

Win32/Defru is targeting Russian speaking users, mostly from Russia, Ukraine, and Kazakhstan.

The rogue is written in PHP, uses a PHP EXE compiler (Bambalam) and will copy itself to %appdata%\w1ndows_<4chars>.exe (e.g. "w1ndows_33a0.exe"). It persists at system reboot by adding itself to the registry key HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run with the value "w1ndows_<4chars>".

Upon installation, the server is contacted and will reply with a simple "ok" to inform the connection is still alive.

The user can clean their system by removing the entry value from the "run" registry key, delete the file from disk and delete the added entries from the hosts file.

We want to remind you again that there are free security solutions such as Microsoft Security Essentials. Before paying for a product (either a security product or any other) make a thorough investigation to make sure that it is a legitimate product and it is not fake or a copy of a free one.

 

Daniel Chipiristeanu
MMPC