New Fake AV Threats on the Prowl

By Matthew Hines  |  Posted 2009-09-21 Print this article Print

Security researchers with software maker Sophos are following the trail of some new variations on the time-honored theme of phony AV programs that seek to infect end users' devices.

First off, Sophos experts noted in a recent blog post that they've uncovered a new malicious adware scanner that attempts to carry out JavaScript drive-by attacks on the people sucked into visiting its distribution sites, and to load a Trojan onto their computers.

Like many variants before it, the "AntiAdware Online Scanner" displays phony results on affected machines and then tries to convince users to download additional security software programs to clean up their devices. Those who fall for the ploy are instead hit with a Trojan dubbed Troj.FakeAV-ABD, the experts reported.

The involved Web site is also able to change its interface and the language it appears in depending on visitors' IP addresses.

While in most ways the fake scanner employs many similar elements of previous phony AV programs, its' combination of techniques marks it as a new variation on the theme, such as in the dynamic manner it presents itself, Sophos researchers noted.

In another research note, Sophos researchers highlighted their discovery of another fake AV Trojan that also attempts to download a packet sniffer "Troj/Sniffer-R" onto affected users' devices. The sniffer is designed to steal users' login credentials to allow them to break into FTP systems.

In carrying out its efforts, the Trojan initially sets up a socket to receive all incoming and outgoing packets and sits in a loop, waiting for packets with a source or destination port of 21, the FTP control port number, Sophos said.

The sniffer can then capture the host name, user name and password for any outgoing FTP connections, and even checks to ensure that the username and password combinations it finds are valid by parsing incoming traffic for the login success status code, Sophos research Mike Wood reported in a blog post.

Only the credentials which work properly are then reported on to a remote server which is connected to to a domain associated with rogue security software.

The attack highlights the manner that phony security program threats continue to evolve, Wood observed.

"The pushers of Fake AV are constantly on the run, and stolen FTP credentials are just one of the tactics used by this wily group of miscreants," Wood said. "The authors are registering new domains and shifting existing domains to new IP ranges on a daily basis, frequently changing the location where their scareware is hosted thereby avoiding network blacklists for a short time."

The involved attackers are also "stuffing" their Web pages with bogus keywords on hot topics to lure search-engine users.

"As highlighted by the malicious advertisements streamed via the NYTimes, there is much to be gained from the exposure on legitimate sites," Wood said. "First off, the malware author achieves both the new hosting location and search engine traffic by leeching off the existing reputation and user-base of the legitimate site."

"Secondly, not only is the entire user-base of the Web site exposed to any embedded malicious links, the users are likely less skeptical while browsing a site they already trust and perhaps more vulnerable to fall victim to the phony scareware warnings."

The expert also noted that stolen FTP credentials are being used to subvert larger numbers of sites, as in the Gumblar SQL injection campaign.

The activity makes it all that much more important that site admins keep their servers patched and secured up to date.

All of this just serves as more reason only to trust security providers whom you know.

Follow eWeek Security Watch on Twitter at: eWeekSecWatch.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to |

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel