This month's Malicious Software Removal Tool (MSRT) includes Win32/FakeSysdef - one of the most prevalent trojans affecting our support groups over the past few months. We've discussed this threat in previous blogs (1, 2), and turn to this excerpt from our encyclopedia for some more detail:
Win32/FakeSysdef is a family of programs that claim to scan for hardware defects related to system memory, hard drives and over-all system performance. They scan the system, show fake hardware problems, and offer a solution to defrag hard drives and optimize system performance. They then inform the user that they need to pay money to download a 'fix' module, register the software and repair these non-existent hardware problems."
The first variant we saw in the wild called itself "System Defragmenter" hence the name, FakeSysdef (SHA1: C5130D12851D03ED42A7CC25BE5629E0A43E90A2).
With a trained eye, we found some tell-tale signs that the authors behind Win32/FakeCog are related to those behind Win32/FakeSysdef. It also seems coincidental that FakeSysdef's first release was a month after the inclusion of Win32/FakeCog to MSRT last September. Since that time, FakeCog detections have decreased while FakeSysdef detections have become more prevalent.
How do I get infected?
Creators of trojan and rogue security software are notorious for using exploit kits and "search result poisoning", or Black SEO, to launch installers of their malware. For example, malware creators could use an image search poisoning scheme to deliver poisoned search results to users that search for a photo of a popular or public person. When opening a (malicious) returned search results page, the user could become infected by way of a drive-by download that executes a Win32/FakeSysdef installer. FakeSysdef may also be downloaded by other malware, including Win32/Chepvil.
Win32/FakeSysdef drops a copy of itself and/or another component (DLL or EXE) to the "%APPDATA%" folder using random filenames, for instance:
- c:Documents and SettingsAll UsersApplication Data<RANDOM>.exe
- c:Documents and Settings<UserName>Local SettingsApplication Data<RANDOM>.exe
Note: These folders are commonly hidden, so you might need to check these links for Windows Vista and Windows 7 to enable the viewing of hidden files and folders to see the dropped files.
Here is an example of the dropped files (the main executable and a configuration data file):
Figure 1 - Dropped files
A shortcut link is created in the desktop folder and sometimes in the Program menu, hoping that the user will run it eventually. Others may just create a plain autorun registry entry to run the trojan every time Windows starts.
To be more appealing, recent FakeSysdef variants are smart enough to detect the operating system when constructing the brand names they use. An example of this strain is the "Windows 7 Recovery"distribution that checks the Windows version with common APIs such as GetVersionExW() and GetNativeSystemInfo(). Other variants with similar behavior are: "Windows 7 Restore" and "Windows 7 Repair".
Figure 2 - View of API call by FakeSysdef
Win32/FakeSysdef typical behavior, once active, is to display fake error messages such as those seen in Figure 3, that scare the user into believing that their computer needs repair. But before they can clean up their computer, they need to buy or register the software. Needless to say, this is the old-and-dirty trick from rogues and some trojans to scam money from infected users - to scare you into buying their fake software. If the user ignores the malware (eg. clicking 'Cancel'), it reboots the machine repeatedly until they activate the fake fix. Downloading and installing the fake fix module will not clean up the computer and it doubles the risk by downloading an additional component or different new malware.
Figure 3 - Examples of fake error messages from FakeSysdef
Figure 4 - FakeSysdef fake request to "Fix problem"
After installation, it connects to a remote website to report infection information. The remote website's URI formats are all the same or similar and hard-coded in the binary with simple encryption. The %s format in the decrypted string (Figure 5) is replaced later in the code by the actual hardcoded domain name. This means that the binary is being auto-generated with some kind of server-side polymorphic engine, embedding the URI of the C&C domain on every binary compiled. The domains used also look pre-generated, being registered when the binary is released.
Figure 5 - Analysis of FakeSysdef illustrates call to decrypt URI string
Perhaps, it's worth noting as well that a small fraction of FakeSysdef variants were found to be blocking launched programs once active. It accomplishes this by using a DLL component injected to some pre-determined processes like EXPLORER.EXE, WINLOGON.EXE and WININET.EXE with the following registry entry:
In subkey: HKLMSystemCurrentControlSetControlSession ManagerAppCertDlls
Sets value: "AppSecDll"
With Data: "c:documents and settingsall usersapplication data<RANDOM>.dll"
The DLL exports the CreateProcessNotify() function to check if the trojan is installed by querying some registry entries related to itself and denying programs that are executed by the user. This aggravates its effect especially for cleanup, as you cannot run programs to remove the trojan. Users might need to boot from Safe Mode to clean this strain.
Ties with other malware
The underground business of malware has a complex structure and different malware families are often inter-related. For example, we have observed Win32/Hiloti installing Win32/FakeSysdef in the past. FakeSysdef in return, was also found to download and install Win32/Alureon.
With the inclusion of FakeSysdef in this month's MSRT, we hope that its extinction is imminent!
-- Rex, MMPC