Some of the malware families that were part of the Operation Aurora attacks that targeted dozens of major U.S. companies are being installed through fake antivirus and scareware attacks, researchers say. Researchers at Damballa, which did an in-depth report on the Aurora attacks, found that the attackers have been using two separate fake AV programs to help download and install a cocktail of malware on victims’ machines. The scareware programs, known as Fake AV/Login Software 2009 and Fake Microsoft Antispyware Services, use the classic scareware tactic of serving fake infection warnings to victims. Once the user clicks on the warning, it begins the download process that leads to infection with the Aurora botnet malware.
Here’s how the Login Software 2009 scareware attack works:
This set of malware is propagated through Fake Malware Alerts. The
supposed AV installer is the actual malware dropper. Its main purpose
is to drop and install the rest of the malware components. Upon
execution of the dropper, it assigns a specific ID to the compromised
host. It then registers it to its malware server website and downloads
the rest of the malware to the compromised host.
To ensure that the malware is downloaded, the creator of this
malware dropper uses redundancy in its malware serving web
infrastructure. The dropper checks three different malware serving
websites.
After the successful download of the main component, the main
dropper generates a random name and copies the downloaded component to
“C:Documents and Settings<User>Local Settings” folder. It
calls itself Login Software 2009. The dropped file is then executed to
make it active in memory. For it to survive reboot, it uses the most
common way to autostart by using the registry entry:
HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun
Fake AV and scareware have become a major problem for users in recent years, and its use in the Aurora attacks is evidence of just how effective the tactic can be.
