FAKEAV Goes Open Source… Or Not?

In the recent FAKEAV spam campaign, I realized something was off. Once the user clicks the URL and gets the bogus Antivirus 2010 up and running on the system, additional files are added. The files I found added are related to ClamAV, the open source AV toolkit for UNIX. The files include the ClamAV virus [...]Post from: TrendLabs | Malware Blog - by Trend MicroFAKEAV Goes Open Source… Or Not?

In the recent FAKEAV spam campaign, I realized something was off. Once the user clicks the URL and gets the bogus Antivirus 2010 up and running on the system, additional files are added. The files I found added are related to ClamAV, the open source AV toolkit for UNIX. The files include the ClamAV virus definition file and some newly-downloaded DLLs such as htmlayout.dll and pThreadVC2.dll. These files (DLLs and ClamAV definition file) are needed to run the open source antivirus software. So why are legitimate AV-related files included in the routines of a FAKEAV malware?

Click

The files arrived from the first download routine of the fake antivirus installer. It also drops randomly-named garbage files into the system that will later be detected as “infected.” Curious about all this, I downloaded the real ClamAV to further test if the fake scan was actually using the definition file to scan. After replacing the FakeAV definition file for the latest one, it still detected the garbage files as infected. The second test I made was to take the FAKEAV definition file and run it in a real ClamAV scan against the files. However, it still showed the same result. Apparently, the ClamAV-related files were not being used at all.

The only conclusion I’m left with is that the legitimate files are just a decoy to give a legitimacy facade to the whole scam. Cybercriminals are also probably employing this tactic to avoid analysis behavior detections and removal. Some behavior-analyzing software might be deceived that the fake antivirus is real because of the legitimate antivirus files running in the system. I doubt it, but who knows? It might just work.

Post from: TrendLabs | Malware Blog - by Trend Micro

FAKEAV Goes Open Source… Or Not?


Read Full Article
GSO
Written on Friday, 23 October 2009 09:38 by GSO

Viewed 51 times so far.
Like this? Tweet it to your followers!
Published in Subscribe to the RSS feed of Network Security & Hacking News  Network Security & Hacking News / Subscribe to the RSS feed of Latest Security News  Latest Security News
Like this? Let your friends know now!

Rate this article

Latest articles from GSO

Latest 'tweets' from GovernmentSecurity

  • News Update: Cyber war is coming, the impact could be huge: CBS News reports that cyber.. http://bit.ly/1tx1kr | #Security Link Monday, 09 November 2009 07:35
  • News Update: Tenable Network #Security Podcast - Episode 11: Welcome to the Tenable Netw.. http://bit.ly/2Iqd6G | Security Link Monday, 09 November 2009 07:35
  • News Update: Consent will be required for cookies in Europe: EDITORIAL: A law that dema.. http://bit.ly/3JYgip | #Security Link Monday, 09 November 2009 07:35
  • News Update: CBS 60 Minutes tackles cyber-terrorism: Could hackers get into the compute.. http://bit.ly/2d5Y21 | #Security Link Monday, 09 November 2009 07:35
  • Blog Update: We have launched the new GovernmentSecurity.org: We decided to launch th.. http://bit.ly/2G1SSF | #Security Link Saturday, 07 November 2009 17:38
blog comments powered by Disqus
back to top

Site Search

Disqus Tools