Win32/FakeRean and MSRT

This month we added another rogue to the MSRT family list - Win32/FakeRean. Win32/FakeRean is generally very similar to Win32/InternetAntivirus and Win32/FakeXPA, which we continue to see in large numbers each month.
Following the fashion, Win32/FakeRean is distributed as several variants, each with a different name and a different "skin". Its interface is actually rendered from HTML stored inside the fake scanner's executable file. Because of this they can often look quite similar. Compare the interfaces for "Home Antivirus 2010" and "PC Antispyware 2010", for example.

Win32/FakeRean scanner interface - "PC Antispyware 2010"

Win32/FakeRean scanner interface - "PC Antispyware 2010"

Of course, this allows the creators of the malware to produce new variants with different names quite easily. Despite this, some elements of the interface are surprisingly static. The "Protection level", for example, is always displayed as "LOW". On the other hand, this isn't really surprising once you know that the program reports the same list of infections whether there is any malware on the system or not.

While fabricated infection reports are not remarkable - indeed they are what defines this class of malware - the way in which Win32/FakeRean generates these reports is particularly unusual. It installs a copy of the ClamAV open source anti-virus scan engine along with a signature file specifically produced for the rogue. It then creates files with random names in various locations on local drives and uses the ClamAV engine and signatures to detect them. The files it creates and reports are harmless junk, not even executable. They appear to be filled with essentially random data, but are created in such a way that the rogue's signatures will detect them. So the rogue performs a real scan and detects real files that you would not expect to find on your computer, possibly making its claims more plausible.

Win32/FakeRean is often downloaded by other malware, such as Win32/Renos, but it is also distributed through web sites that look fairly credible at first glance. Again, the different variants are often very similar, right down to the "testimanials" (sic).

More information on rogues can be found in the latest Security Intelligence Report (SIR).

-- Hamish O'Dea

Comments (0)

Skip to main content