There are quite a few reports currently about particularly ugly development son the fake AV front. The Register's John Leyden has referred to a "double dipping" attack, in which the notorious Antivirus 2009 is implicated in an attack that goes beyond offering useless rogue anti-malware to inflicting actual damage on user data files, in order to force the victim to pay for another "utility" in order to recover them. FireEye implicates Vundo (Virtumonde), the equally notorious adware Trojan, which is often used to push fake security software. The attacks ESET is seeing involve the dropping of a malicious executable called fpfstb.dll - which we, among others, detect as Xrupter- into the system directory (%sysdir%), and creating or changing a number of registry keys. This one ensures that the program is run at every startup.
HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows NT CurrentVersion Windows "AppInit_DLLs" = "% Sysdir% fpfstb.dll"
Xruptr is a Trojan application that looks for data files in the "My Documents" folder and encrypts them. As you can see from the list of file types below* this attacks types of file that may be critically important for personal or business reasons to the victim.
The victim then sees messages like these in the system tray:
"Windows File Protection
Windows has detected that the following files seems to be corrupted. To prevent future data corruption, click Repair button below. "
"FileFix Professional 2009
Please, register your copy of FileFix Professional 2009 to repair all corrupted files. Click here to open Buy now page. "
FileFix does decrypt the affected files so that they're accessible again, but only at a price (and it only decrypts the files that Xrupter has weakly encrypted: it's useless as a general decryption utility and may well be used for other malicious purposes in the future). Furthermore, its home web site is currently offline, so if you fall victim to this scam, you may not be able to access it anyway.
Fortunately, a number of sources have made alternative (and free!) decryption utilities available. Symantec's is here, and FireEye's is here,
There's nothing new about ransomware of course: in fact, it was Dr. Popp's AIDS Trojan, which encrypted the victim's hard disk and then demanded money to get it fixed, which was my introduction to anti-malware research in 1989.
And fake anti-malware is almost as old - one of the Black Baron's malicious packages was made available as "antivirus" in the 1990s.
However, the combination of fake security software and data-diddling as a means of extortion as two prongs of the same attack seems, somehow, particularly unpleasant. Nonetheless, I'm sure we'll see more of such attacks.
* The Trojan looks for files with the following filetypes (filename suffixes - that is, the part of the filename that follows the last period character, for example mynewnovel.doc):
doc
docm
docx
dotm
dotx
jpeg
jpg
mdb
mp3
pdf
png
potm
potx
ppam
ppsm
ppsx
ppt
pptm
pptx
pst
wma
xlam
xls
xlsb
xlsm
XLSX
xltm
xltx
(Thanks to Paolo Monti, my colleague at Future Time/ESET.it, Hon Lau of Symantec, and Alex Lanstein of FireEye for some of the information on Xrupter used here.)
David Harley
Director of Malware Intelligence
