Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Honor Among Thieves? Definitely Not.

Created: 26 Oct 2009 21:54:33 GMT • Updated: 23 Jan 2014 18:31:50 GMT
Jarrad Shearer's picture
0 0 Votes
Login to vote

Misleading application, rogue software, fake AV: call it what you will, it’s everywhere. The authors of these applications are pumping them out by the hundreds, fooling many Internet surfers, and in the process they’re making big bucks out of it. In fact, as many of our readers will be well aware by now, it is the focus of a white paper Symantec has just released entitled Symantec Report on Rogue Security Software.

So if there are so many of these things, why should one called Windows Enterprise Defender be any different from the rest? Firstly, it tries to pass itself off as Windows Defender, which is a legitimate security product released by Microsoft. Obviously the name is similar but so is the GUI:

shot1.JPG

Notice the castle wall on the top-right hand side of the screen, which is similar to the legitimate product. Also notice the “Full Protection Activation Registration” icon on the top-left hand side, which looks and sounds like the real Microsoft Genuine Advantage Program.

Secondly, on the website that hosts this misleading application (detected by Symantec as Trojan.FakeAV) the “awards” that the product has supposedly won are displayed. The “packaging” (of course it isn’t sold physically; the only way to obtain this fake antivirus software is to download it) displays the word “Windows” prominently in the centre and the box itself looks very similar in color and shape to boxes that other Microsoft products are sold in:

package_sml.jpg

On the front page of the same site, it also boasts of its scan times in comparison to other legitimate vendors, including Symantec:

stats.JPG

Of course these results are entirely fabricated (stronger words have been used to describe these fake applications and their bogus marketing tactics but I can’t repeat them here). It also even has a “threats centre” populated with names of threats used by legitimate vendors and information that is either fabricated or gathered from legitimate vendors:
 
threats1_sml.jpg

Finally, and of most interest—especially to us security-minded folks—is that it adds registry entries to disable other fake antivirus applications as well as legitimate security products:

•    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Anti-Virus Professional.exe\”Debugger” = "svchost.exe"
•    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntispywarXP2009.exe\”Debugger” = "svchost.exe"
•    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivirus.exe\”Debugger” = "svchost.exe"
•    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPlus\”Debugger” = "svchost.exe"
•    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPlus.exe\”Debugger” = "svchost.exe"
•    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPro_2010.exe\”Debugger” = "svchost.exe"
•    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusXP\”Debugger” = "svchost.exe"
•    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusXP.exe\”Debugger” = "svchost.exe"

It also modifies the system hosts file to redirect network traffic from other fake application-related websites to the Google search engine:

•    74.125.45.100 4-open-davinci.com
•    74.125.45.100 securitysoftwarepayments.com
•    74.125.45.100 privatesecuredpayments.com
•    74.125.45.100 secure.privatesecuredpayments.com
•    74.125.45.100 getantivirusplusnow.com

This suggests that the competition between these rogue security vendors is becoming so intense they are actively trying to cut each other off at the knees. A good ol’ turf war on the Internet. Honor among thieves? Apparently not!