Video Screencast Help

Misleading Applications – Show Me The Money!

Created: 19 Jan 2009 22:14:01 GMT • Updated: 23 Jan 2014 18:38:09 GMT
Nishant Doshi's picture
+1 1 Vote
Login to vote

Lately there has been a huge influx of misleading applications (a.k.a. rogue or fake antivirus applications) plaguing users. By traditional definition, these programs are rogue applications that parade as fake antivirus scanners and/or fake “system cleaners.” For a good briefing on this type of “scareware,” take a look at the description provided here.






Once installed, these applications attempt to scare the user into believing that his or her computer is infected with dozens or more threats. This is done using constant pop-ups, task bar notification icons, etc. These apps usually start off with a fake scan of the system and then proceed to report non-existent threats on the system. In some cases, this is done even before the user installs the application, by popping up an image that pretends to show that the user is infected. The goal here is to try to lure the user into buying the fake product, which promises to clean up all of those made-up threats.

If the user decides to buy the application, they are usually redirected to an order page. The cost for these products can be anything from $30 to $100. These order pages will also try to up-sell the user into buying more fake products, or even multi-year licenses.

This is a huge scam, but also a very successful one that relies on social engineering tricks and scare tactics in order to make a quick buck. The majority of the companies behind these applications seem to be associated with the Russian Business Network (RBN), which is an underground network involved in online criminal activities such as spam, phishing, and bots. So, how do the misleading applications get onto the system?


Trojans are an intermediary step for the misleading application. These Trojans, once installed, can add taskbar notifications and display fake ystem scan pop-ups and GUI windows. The aim here is to scare the user into believing his or her computer is infected with a bunch of threats.

The rogue applications then offer to clean up these fake threats and entice the user to purchase the misleading application, because it may seem that this is the quickest and cheapest method. Quite often the Trojan drops trial versions of the misleading application onto the victim’s system, which then constantly prompts the user to either buy the protection or otherwise remain infected.

All of these social engineering tactics are “marketing tools” used by the Trojan to attempt to trick the user into buying the misleading application. Now, let’s get back to how a user would get these Trojans onto their system in the first place.

Methods of distributing Trojans


Fake codec Web pages

One popular method is using adult-content websites that are modeled after popular and legitimate video-sharing sites. In this case, the fraudulent website will ask users to download and install video codec applications in order to view the videos. However, the video codec applications are actually Trojan executables—a simple ruse, but very effective. In many cases, infected blog comments, IM spam, and malicious text ads lead users to these fake codec websites. Shown below is a screenshot of one these fake codec sites, where the downloaded codec file is, in fact, Trojan.Zlob. We have observed that Trojan binaries such as these are updated very frequently.




Malicious peer-to-peer files

Another method of Trojan distribution is through malicious peer-to-peer (P2P) file sharing. In this case, malicious users bind Trojan executables to popular applications and upload them to file-sharing websites. They use some creativity in naming the files, using celebrities’ names or popular brand names in order to try to get users interested. There are tutorials available online in order to get “script kiddies” acquainted with the process of creating Trojanized” applications, how-to guides on publishing these applications to P2P sites, which sites to use, how to use proxy servers to provide the files, and how to prevent getting shutdown for misuse.

The online tutorial shown below gives a breakdown on how to distribute malicious executables using P2P file sharing. It breaks down the whole process into easy to understand steps, and also advises which P2P sites to use in order to avoid getting shut down. This goes to show how easy it is to start distributing malicious code and misleading applications.



Search-based Ads

Malicious code distributors have also started using text-based search engine ads to direct users to fake product download websites for brand name or technical-sounding applications. For example, if we perform a Web search for the keyword “directx,” one of the sponsored link points to a page cleverly pretending to be the download page for the official version of DirectX.



However, when a user visits that particular website, the fake DirectX application being offered is, in fact, a Trojan. In this case the malicious code author most likely bought the keyword “DirectX” from the ad network. The estimated daily price for the “DirectX” keyword is anything from $30 to $70. One can clearly see how malicious code authors are using legitimate ad networks to inject malicious ads, which are then used to propagate malicious code and misleading applications.


Browser exploits (drive by downloads) are another popular way to drop Trojans onto the victim’s system. No user interaction is necessary for the user to become infected in these cases. Recently we have seen a spike in exploits targeting third party applications such as Adobe Reader and Flash Player. These exploits crop up even on legitimate, large brand-name websites.

Very often these legitimate websites are hacked using SQL injection and other attack techniques. The attacker then adds obfuscated JavaScript code onto the hacked Web page. Usually the additional JavaScript code just loads up malicious content from other malicious websites using HTML tags like iFRAME and SCRIPT. The malicious content then attempts to exploit multiple vulnerabilities in order to download and execute Trojans onto the user’s machine. The user in most cases in unaware of these attacks, as they are hidden and happening in the background.

We have also seen exploits distributed through ad networks. Recently we observed JavaScript code from an ad (distributed by a legitimate ad network) that actually led to malicious code. In this case, the code from the legitimate ad network performed multiple redirects to different Web pages. Code from one of the “down the chain” Web pages attempted to exploit a recently discovered vulnerability in Adobe Reader. (Please note that this vulnerability is resolved in Adobe Reader 8.1.3 and Adobe Reader 9.) If successful, the exploit would result in the download and execution of a Trojan binary on the user’s system.

The bottom line is, the user could be on a legitimate site and yet unknowingly become infected with these Trojans. Some previous blogs talk a little more about these attacks:

•    Nishant Doshi’s Web Protection 2.0

•    John Harrison’s One Million Websites Compromised

Blog Spam

Blogs are often infected with URL links pointing to pages that use social engineering tricks or browser-based exploitation techniques in order to infect a user’s machine. Attackers often use blog comment fields to post such links. Quite often, these comments have some catchy phrases to entice visitors to click on the link. These types of spam messages also affect social networking sites. There are tools available in the underground networks that automate the process of blog spamming.

Pirated Software

These Trojans often come disguised as pirated software and software cracks, usually downloaded by users from “warez” sites.

Email Spam

A common problem across the globe, this has always been a huge vector for distributing Trojans.


I’m going to wrap up this discussion for today, but keep your eyes peeled for the second and third articles in this series. I’ll demonstrate the ways in which misleading applications continue to compromise systems—the articles will be posted on this blog over the next few days.






Message Edited by Trevor Mack on 01-19-2009 02:56 PM