I’ve worked in this industry for some time now, but to be frank, working as a writer with the MMPC I don’t see too much live malware action from the front lines. I tend to write about other people’s experiences with malware. However, I had this experience recently that I wanted to share with you, to give you some insight into one way that malware is distributed and talk about how it’s representative of a fairly common scenario.
A colleague (Scott) was prompted to make comment after overhearing another colleague use the phrase “Oh really?“.
Scott (accidentally overhearing snippet of conversation): “Whenever I hear someone say “Oh really” I always think of the owl.”
Me (oblivious to Internet pop culture): “What owl?”
Scott: “You know, that meme with the owl.”
Me (feeling decidedly unhip –and absolutely emphasizing that idea by using the term ‘unhip’ in this blog post): “No. I don’t know it.”
(For those unfamiliar, a meme is kind of like a thought virus – an idea that spreads throughout a particular culture.)
Moments later, I’m viewing the results of an image search and chuckling away to myself about this owl. Here is one artist’s (my) impression of the ‘o rly owl’ (that looks almost nothing like the real o ‘rly owl’, but you get the idea and I don’t appropriate the original artist’s intellectual property):
Wanting to get a closer look at this humorously cynical owl, I randomly clicked on one of the image results (as you do) only to be confronted by this alert:
Ah, the notorious ‘the system crash’.A scary dialog that won’t let me escape its evil clutches without following the attacker’s wishes by responding to the dialog (or resorting to Task Manager). It’s looking suspiciously like I am experiencing some social engineering from the distributors of a Rogue. Upon clicking ok, the following was displayed:
Had I clicked on the ‘Clean computer‘ button I would have been prompted to download a malicious ZIP file that we detect as Rogue:Win32/FakePAV.
So, what’s really happening here?
The entire attack up to this point is happening in the context of the browser and the mind of the targeted user. Despite its appearance, the “Microsoft Security Essentials Alert” window is not a window at all, merely a PNG image shown within the browser. The web page displaying the image uses an image map to turn a box over the “Clean computer” button into a link that points to a malicious file. In other words, the web page is really just a link to a malicious file made to look like a Security Essentials window. If you click the link you’re faced with the same choice you always get when clicking a link to an executable or, in this case, a ZIP archive. There are no exploits involved here; only if you choose to open or save the file is the malware downloaded to your computer.
Once installed, the attempt to mislead and scare you into doing what the attacker wants continues. Win32/FakePAV is a rogue that displays fake infection reports in order to scare you into downloading and paying for a fake security scanner. It also (very annoyingly) persistently terminates numerous processes such as Windows Registry Editor, Internet Explorer, Windows Restore and other utilities and applications that makes removing it more difficult.
While technology can offer great protection from malware, you do need to continue to be mindful of attempts to deceive, and recognize illegitimate attempts at influence and coercion. Attackers will attempt to compromise a system through any interface they believe is vulnerable – even the human interface. Don’t be vulnerable – expect to be targeted in this manner and be ready to not comply to the attacker’s wishes. Use a legitimate, complete antimalware solution (Microsoft Security Essentials is one, but there are many others) and familiarize yourself with how it works so you know what to expect when an attempt to compromise your computer is made.