For this month, we added the Win32/FakeCog family to the Malicious Software Removal Tool (MSRT) release. FakeCog is another family of rogue applications that employ dubious methods to convince an unsuspecting user to install and buy their software. It tries to protect itself with code obfuscation and anti-emulation techniques to evade detection by security products.
Some of the recent brand names that FakeCog has been known to use are “Defense Center”, “Anvi Antivirus”, “Protection Center” and “Data Protection”. There are times when FakeCog just changes the brand name but still uses the same skin. Let’s take two of the most recent brands for example. Notice the similarities of the splash screens used by Protection Center and Anvi Antivirus below.
As another example of a connection between the brands, the EULA for FakeCog’s Anvi Antivirus (see figure below), mistakenly refers to Defense Center. It is as if they forgot to change it into the new brand name.
As of this writing, Protection Center and Anvi Antivirus have two main components that they drop in the current user’s temporary directory.
- Wmsdk64_32.exe – This component drops a DLL file with a variable name (i.e. expand32xp.dll, kernel64xp.dll, eapp32hst.dll) in the same folder and injects it into the Windows Explorer process so that it can remain running in the system. As an example, see the snapshot of Process Explorer below that shows explorer.exe and the injected FakeCog component:
- Wscsvc32.exe – This component displays an imitation of the Windows Security Center dialog box and drops an EXE file with a double name extension “.tmp.exe” (i.e. asdf.tmp.exe, asd12.tmp.exe, tmp28da.tmp.exe) in the same folder. This EXE file tries to uninstall a legitimate security product that it finds in the system and also installs its own rogue software.
Note that this brand of FakeCog disables the Windows Task Manager so that if the user attempts to kill the rogue processes using Task Manager, they will not be able to use it.
Below is a snapshot of the fake Windows Security Center dialog box displayed by the component mentioned above.
It always shows the Firewall and Automatic Updates features as ON, even if the real settings say otherwise. Notice the misspelling (protec instead of protect) and the presence of an “Install” button inside the Virus Protection box.
When the “Install” button is pressed or if the user clicks on one of the misleading balloon alerts displayed by the rogue, FakeCog tries to download and install its software. In addition, if there is a legitimate security product such as Microsoft Security Essentials installed in the target system, a message box similar to the one below is shown to try to convince users to uninstall it.
Even if the user does not press “OK”, the rogue application will still launch the uninstaller for that security product.
Aside from using false detections and misleading alerts, another scare tactic that may be employed by this rogue is to drop suspicious files on the user’s desktop to let them think that they are infected. Protection Center and Anvi Antivirus drop shortcuts to supposed pornographic sites and dummy executable files with names that begin with “spam” or “troj” (i.e. spam001.exe, spam003.exe, troj000.exe).
FakeCog may also download encrypted files from remote sites. The encrypted files may either contain data or it could also be another malware. Below is a snapshot of web sessions showing FakeCog attempting to download data files (shown as the URIs /avt/avt_db in the figure).
FakeCog has been observed to download and install variants of the Win32/Alureon family into the infected system. Below is a snapshot of Alureon files that were downloaded by FakeCog and injected into the Internet Explorer process.
In this case, FakeCog did not just try to convince the user into buying their rogue application, it also intentionally infected the system with additional real malware.
By the way, FakeCog is not the only rogue known to download and install Alureon. Back in February and June, my colleagues, David Wood and Hamish O’Dea, mentioned Win32/Fakeinit doing the same thing here and here.