Friday, November 08, 2013

Tempting Photo Attachments Lead to Fake AV

One of today's largest malicious spam campaigns continued an occasional theme we've been seeing for a few weeks. A subject line, followed by a single "emoticon" email, with an attachment that promises to be a picture.

The emails had a wide variety of subjects and were coming in fast and furious around 4:00 this morning:

A query in the Malcovery Spam Data Mine shows the variety of subjects used in the campaign:

count |                  subject                   
-------+--------------------------------------------
    90 | Someone showed me your picture
    86 | I love your picture!
    85 | This is the funniest picture ever!
    85 | What you think of this picture?
    84 | You look so beautiful on this picture
    80 | Tell me what you think of this picture
    78 | You should take a look at this picture
    78 | Take a look at my new picture please
    75 | Is this you??
    69 | Someone told me it's your picture
    66 | Should I upload this picture on facebook?
    62 | Picture of you??
    50 | Your friends won't be happy about that
    48 | My private picture only for you
    47 | Private
    46 | Your picture is all over the web now
    44 | Keep it secret
    43 | Keep it private
    43 | Could you explain please?
    43 | Do you think I'm attractive?
    41 | Photo of you naked??
    40 | Do you think I'm 'pretty or ugly?
    40 | My private photo for you
    39 | Do you think she is hot?
    37 | Hey check out this picture
    37 | I just can't belive this
    35 | You look terrible on this photo
    35 | I found this picture of you
    35 | My private picture
    35 | To show how much I love you
    35 | Please rate my picture
    35 | Your wife won't be happy about that
    34 | How do you think she looks?
    34 | Please tell me this is your photo
    33 | Shame on you
    31 | Your opinion needed
    30 | Check out my photo but keep it private
    26 | I love you so much please check my photo
    22 | My private photo
    11 | What you think about my halloween costume
     7 | Your wife wont like this picture
     7 | Happy Halloween
     6 | Check this out!!
     6 | Best halloween costume
     6 | Your wife will be shoked
     6 | Worst picture ever!
     5 | Private picture of you?
     5 | Biggest pumpkin lol
     5 | Halloween costume
     4 | You are fucking ugly
     4 | Biggest fail of the month
     4 | Best halloween costume ever
     4 | You are so sexy
     3 | Are you crazy??
     3 | Naked picture of you
     3 | You like my halloween costume??
     3 | WTF?
     3 | Busted you naked
     3 | WOW WTF is this???
     2 | Please explain??
     2 | Let me know if this is really your picture
     2 | Check out my halloween costume
     2 | Seen this shit before??
     2 | LOL
     1 | Spam: My private photo
     1 | Can't belive this!
(66 rows)
The campaign was further confused by the fact that every email attachment had a unique MD5 hash (one of the tricks we use to cluster emails is to look for them to have the same attachment).

I won't go into the technical details of how it works, but the ZIP file contained an SCR file -- an old filetype that used to be a common way for people to share "Screen Saver" files. Trying to "view" the Image file from inside the .ZIP actually results in the .SCR file being executed, and downloading and executing the file "soft.exe" from the website at 91.216.163.208 as you can see from this code-dump of the SCR file.

The file failed to run in our default analysis Sandbox so we had to break out the Raw Iron ... since the malware was being so paranoid, I used a camera to document what came next rather than taking screenshots in the program.

The Fake AV was called "AntiVirus Security Pro" and popped up in the typical fashion to run a "Full Scan" of my system:

While it was running a pulled a running process name and found that the malware had copied itself to my "Local Settings\Temp" directory and was running from there with the name "dnn9d9n39dn93nd39b9d393d3bdb.exe" (as you can see in the CMD window behind the scan above.) That file was 569,344 bytes in size.

After the scan completed, I went ahead and told it to Repair All of the threats it had found.

Unfortunately, it failed to repair some of the infections, because I was running a "limited version" of Antivirus Security Pro.

But there is HOPE! Even though "Not all threats have been eliminated." I could "Buy Full Edition" to fix the remaining 19 threats! What a relief!

When I chose not to do that right away, the Fake AV popped up occasional helpful HINTs that said "We strongly recommend activating full edition of your antivirus software for repairing threats."

Pretty darn expensive Fake AV! To the authors - please note that you are more likely to get the $99.99 for a LIFETIME license as opposed to six months. Nobody is going to pay $59.99 for a 30 days license, but we also aren't going to pay $99.99 for only 6 months! Maybe you could try 1 year, 2 year, 5 year?

Sadly, my credit card didn't clear. I'm shocked. I tried really hard to make up a valid card number! The good news is that the "Antivirus Tech Support" link on my desktop would take me back to the shop anytime I wanted to try again by visiting "techprotectorltd.com":

Fake AV IS A CRIME! REPORT IT!

Were you a victim of this scam? Whether you paid for the Fake AV or not, I would strongly encourage you to report your experience to the Internet Crime and Complaint Center by visiting: IC3.gov and using the "File a Complaint" button!