Some of the malware families that were part of the Operation Aurora attacks that targeted dozens of major U.S. companies are being installed through fake antivirus and scareware attacks, researchers say. Researchers at Damballa, which did an in-depth report on the Aurora attacks, found that the attackers have been using two separate fake AV programs to help download and install a cocktail of malware on victims' machines. The scareware programs, known as Fake AV/Login Software 2009 and Fake Microsoft Antispyware Services, use the classic scareware tactic of serving fake infection warnings to victims. Once the user clicks on the warning, it begins the download process that leads to infection with the Aurora botnet malware.

Here's how the Login Software 2009 scareware attack works:

This set of malware is propagated through Fake Malware Alerts. The supposed AV installer is the actual malware dropper. Its main purpose is to drop and install the rest of the malware components. Upon execution of the dropper, it assigns a specific ID to the compromised host. It then registers it to its malware server website and downloads the rest of the malware to the compromised host.

To ensure that the malware is downloaded, the creator of this malware dropper uses redundancy in its malware serving web infrastructure. The dropper checks three different malware serving websites.

After the successful download of the main component, the main dropper generates a random name and copies the downloaded component to “C:\Documents and Settings\<User>\Local Settings” folder. It calls itself Login Software 2009. The dropped file is then executed to make it active in memory. For it to survive reboot, it uses the most common way to autostart by using the registry entry:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Fake AV and scareware have become a major problem for users in recent years, and its use in the Aurora attacks is evidence of just how effective the tactic can be.

Shorten URL: . Click to copy to clipboard or post to Twitter