Zeus for Android and fake Kaspersky Antivirus 2011

Android shotOver the weekend I wrote about the discovery of the potential Android component of the Zeus information-stealing toolkit (also known as Zitmo).

I wanted to share an update as there are further developments which have been uncovered about the relationship between the Zeus toolkit and Andr/SMSRep-B.

Thanks to Denis from Kaspersky Labs we can now confirm that the fake Trusteer Rapport application is related to malicious websites set up as command-and-control servers for several Zeus/Zbot botnets.

The server-side Zeus application checks for the User-Agent string of the HTTP requests and delivers the malicious payload based on the browser type.

In the case of Android. the default browser User-Agent string will be similar to "Mozilla/5.0 (Linux; U; Android 2.2)..." and from there the operating system can be easily determined.

On a separate note, it seems that the tradition of malware pretending to be legitimate anti-virus software for Android is extending.

After Trusteer, the next target is Kaspersky Labs. Yesterday, I had a chance to analyse a sample of Android malware which attempts to fool the user into installing the package by looking like a legitimate Kaspersky Antivirus 2011 product.

The application package uses an icon similar to the Kaspersky Lab icon, but the actual functionality is far less useful than the functionality of the legitimate product.

When the package is launched the malware attempts to get the unique device id number and transform it into an "activation code". The fake activation code is then displayed in a standard Android view.

Fake Kaspersky Antivirus 2011

In the background, the application installs a broadcast receiver that attempts to intercept SMS messages and send them to a web server set up by the attacker.

Luckily, in the case of this malware (which Sophos detects as Andr/SMSRep-C), the command-and-control web server IP address is 127.0.0.1 (localhost), which does not make the malware very useful.

Clearly, this is just an early test build and we will have to be on watch for the next version which will be connected with a real malicious server.

Although the functionality of Andr/SMSRep-B and Andr/SMSRep-C is quite similar, the code does not indicate that they have been developed by the same author.


Fake anti-virus cloaks itself to appear to be Microsoft Update

We are seeing the criminals behind fake anti-virus continuing to customize their social engineering attacks to be more believable to users and presumably more successful.

Last week I wrote about fake Firefox malware warnings leading users to rogue security software. This week they've started to imitate Microsoft Update.

Fake Microsoft Update page. Click for larger version

The page is nearly an exact replica of the real Microsoft Update page with one major exception... It only comes up when surfing from Firefox on Windows. The real Microsoft Update requires Internet Explorer.

The same site was also hosting the traditional Windows XP explorer scanner we have seen for years, as well as a new Windows 7 scanner.

Similar to spam messages that have corrected their grammar and use correct imagery and CSS, the attackers selling fake anti-virus are getting more professional.

They use high quality graphics and are using information from our UserAgent strings that are sent by the browser to customize your malware experience.

Just like visiting your bank you should only trust security alerts in your browser if you initiated a check with Microsoft, Adobe, Sophos or any other vendor for updates to their software.


Fake Firefox warnings lead to scareware

Nuclear Firefox logoPurveyors of fake security software don't let much grass grow under their feet and continually make improvements to their social engineering lures.

While most of the talk for the past month has been their move to Mac with fake Finder pop-ups that appear to scan your computer, they haven't stopped innovating on Windows either.

Their latest scam? They detect your user-agent string from your web browser and display a fake Firefox security alert if you are using the Mozilla Firefox web browser.

Fake Firefox security alert

Internet Explorer users get the standard "My Computer" dialog that appears to do a system scan inside their browser window.

Taking advantage of detailed information about the person's computer and software allows for a much more specific, believable social engineering attempt.

We are likely to continue to see these criminals targeting each operating system, browser and any other details that can be gleaned from HTTP requests sent from our devices.

If you click the "Start Protection" button you will download the latest, greatest fake anti-virus program which will perform exactly the way you would expect a fake anti-virus program to.

It will faithfully detect fake viruses on your computer until you register it for $80 or more.

If you are a Firefox user and see a warning about viruses on your computer, you will know it is fake. Firefox does not include a virus scanner inside of it and it will only warn you about visiting malicious pages.

If you get a warning about a dangerous website from Firefox you can always play it safe... Close the browser.

Nuclear Firefox image credit: iPholio on DeviantArt


Malware on your Mac? Don’t expect AppleCare to help you remove it

Fake anti-virus on the MacZDNet writer Ed Bott has today published a fascinating conversation with an AppleCare support rep on the subject of Mac malware.

For reasons which will become obvious when you read the interview, the Apple support rep has chosen to remain anonymous. Chances are that if he hadn't kept his identity secret that he would be thrown out of the company pretty quickly.

According to Bott's source at Apple, AppleCare's call volume is "4-5 times higher than normal" and the overwhelming majority of calls come from Apple customers who have been hit by the current spate of fake anti-virus attacks on the Mac OS X platform.


Mac Security fake anti-virus. Click for a larger version

The Mac Defender fake anti-virus attack, and its variously named variants, are becoming common problems it seems:

It started with one call a day two weeks ago, now it’s every other call. It’s getting worse. And quick.

Perhaps most astonishingly, the interview reveals that Apple's official policy is that representatives are "not supposed to help customers remove malware from their computer."

The reason for the rule, they say, is that even though Mac Defender is easy to remove, we can't set the expectation to customers that we will be able to remove all malware in the future. That's what antivirus is for.

Although the support rep does admit that he often ignores corporate policy and help customers remove infections, he does acknowledge that this could get him into trouble if it comes to the attention of higher management.

But I can sympathise with the support rep, as it's hard to justify refusing to help a user with an infected Mac when it is using scare tactics and unsavoury pop-up windows to hoodwink them into handing over their credit card details for a "fix".

As the AppleCare support rep describes:

Well, I’m sure you’re aware of what Mac Defender pops up on your screen if you don’t buy it. Last call i got before the weekend was a mother screaming at her kids to get out of the room because she didn’t want them seeing the images. So, panicking, yes, I’d say that would be the situation usually. I had a teacher call about Mac Defender last week.

Typical website displayed to users who refuse to pay after the fake anti-virus attack

You can read the full interview on the ZDNet website.

Here's a video where we caught one of the fake anti-virus attacks in action:


(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like.)

Sophos detects the latest Mac malware as OSX/FakeAV-DOE, and as we continue to encounter more waves of this attack we will enhance our protection.

If you're not a Sophos customer, but have a Mac at home, you can still protect your Mac right now.Download our free Mac anti-virus. It's automatically updated to protect against the latest threats.

DownloadFree Anti-Virus for Mac
Download Sophos Anti-Virus for Mac Home Edition


Mac fake anti-virus attack adopts new disguise

Mac Security fake anti-virusNew versions of the latest malware to hit Mac OS X users have come to light, following the discovery earlier this week of fake anti-virus attacks being spread by SEO poisoning.

Fake anti-virus (also known as scareware or rogueware) is commonly seen on Windows computers, of course, but until now has been rarely encountered on the Apple Mac platform.

The new variants, seen by SophosLabs, are calling themselves "Mac Security" rather than their previous disguise of pretending to be "MacDefender" (which, incidentally, is the name of a genuine security product for the Mac - adding to the confusion).


Mac Security fake anti-virus. Click for a larger version

When I ran the fake anti-virus on a test machine it claimed that a number of innocent files, including Mozilla Firefox, were infected by viruses and told me I would have to register the program in order to cleanup the "infections".


The fake anti-virus tells you that you need to pay money to get a version which cleans-up malware. Click for a larger version

It's precisely these kinds of scare tactics which are regularly used by Windows-based fake anti-virus attacks to hoodwink innocent users into handing over their credit card details. Clearly whoever is responsible for this latest spate of attacks believes that there are rich pickings to be made from Mac users too.

Sophos detects the latest variants as OSX/FakeAV-DOE, and as we continue to encounter more waves of this attack we will enhance our detection to protect Mac users.

If you're not a Sophos customer, but have a Mac at home, you can protect your Mac right now if you download our free anti-virus. It's automatically updated to protect against the latest threats.

DownloadFree Anti-Virus for Mac
Download Sophos Anti-Virus for Mac Home Edition

<advert>
Oh, and did I mention that our free Mac anti-virus product recently won a rather prestigious award? ;-)
</advert>