We pwn Your Desktop!
A couple of weeks ago in thisblog entry, we learned how misleading applications advertise themselveson the Web. Now we'll take a closer look at the other side of things tosee how misleading applications infiltrate users' machines in order toconvince people to download and purchase them.
We are used to seeing malware that uses all sorts of tricks tocompromise a user's machine in order to steal valuable information orperform fraudulent activities. The purpose of all of this? Of course!Money! Why else would the miscreants otherwise make the effort ofstudying new tricks and developing new malware when they can simplyconvince users to give up their money spontaneously?
This is how it goes with misleading applications. They can appear inseveral ways, such as in downloaders or simply via browseradvertisements: "Your computer is in danger!", "Get a better PC", or "Protect your pc from hackers!"are just a small example of the messages a user could be exposed to.Once the user is tricked into executing an installer, free scanner, orwhatever (which can happen with or without the user's consent, by theway) then the show really begins! Any visual means of communication isused to warn the user of the terrible menace pending:
Figures 1, 2, and 3: Examples of fraudulent system tray icons and balloons
Figure 4: The desktop of the machine has been compromised to report threatening messages
Or, a simple message box is displayed:
Figure 5: Misleading applications also use system-like message boxes
Any interaction with these warnings will set off a trigger and someapplication will be downloaded and installed. The purpose of theseapplications is to scare the user through convincing messages that hisor her machine is in great danger in terms of security, or that the PChas a multitude of errors that are forcing the PC to run slower, etc.These applications are good looking, with lots of "eye candy," flashingicons, nice animations, lots of colors - they do everything they can toappear professional. The life cycle of such applications is almostalways the same: they are installed and they automatically startrunning a "scan."
Figure 6: Once installed, the misleading application performs a scan automatically
Then, they report their findings: lots and lots of critical risks,there may be spyware present, malware, errors, and/or privacyviolations. In reality, many of the reported items do not even exist,are not critical, nor are they dangerous at all, but the importantthing here is to look scary!
Figure 7: This misleading application reports an overhelming number of “privacy violations”
Panic is the best friend of misleading apps. When a user sees thesereports, his or her first thoughts are "my credit card could bestolen!", or "my son's favorite game will be deleted", or "my wife'sfavorite fashion Web links will be redirected to who knows whathorrible Web site!" and so on. Looks like the user is doomed, unless heor she can only fix these risks. Well, there is almost always a bigbutton that will do this! Oh, wait. Surprise!
Figure 8: The usual “pay for fix” message window
If the user wants to save his or her computing life, all that needsto be done is purchase the application. For only a few dollars! It'scheaper than many commercial products, it’s worth the security of thePC! Someone may still be doubting about the application: What is it?Where does it come from? That's why, in order to persuade even the mostparanoid users, these days misleading applications look very much likesystem applications and use names resembling real system components orsecurity applications:
Figure 9: A misleading application with a Windows Vista look
Still: "I don't know, I will ask a friend of mine who is an expertwith computers." Well, if you are able to cancel the fix / purchaseprocess, you will still have one last warning:
Figure 10: Trying to halt the application installation will force the pop-up of threatening warnings again and again
Worse still, some applications feature an encore. Even if a userdoes not want to buy the application, it will keep running, restartingitself when closed, popping up in the middle of user activities withnasty warnings, and so on. In conclusion, this is a case of finding thedevil where you might not expect - beware!