New Trojan Takes Social Engineering to New Level

Sue Marquette Poremba

I think I heard about the first Amy Winehouse-related virus making the rounds less than one hour after I read about her death. This morning, my Twitter feed had posts warning of viruses being spread in videos about the Norway tragedy. It's sad that you have to expect that every tragedy or shocking celebrity news will end up as a malware scam.

 

Slide Show

Q1 Threat Report: Surge in Malware, Drop in Spam

With six million unique samples of recorded malware, Q1 2011 was the most active first quarter in malware history.

Now, it appears that there is a new bit of social engineering we have to watch out for: shocking videos of yourself on YouTube. I've actually seen this particular virus pop up on my own Facebook feed lately; friends are "sending" me a link to a YouTube video that I must watch because it supposedly has me tagged in it.

 

Not surprisingly, BitDefender found that the video clips are malicious. In fact, the folks at BitDefender told me in an email:

The new e-threat uses advanced social engineering techniques in order to uninstall the user's antivirus and add their compromised PC to a network of infected systems that constantly exchange malware between them.

Now, I admit that it's my personal policy to never look at YouTube videos I see on Facebook (or elsewhere for that matter) unless I trust the source and verify it several times over. So when I got the note about the "shocking" video, I ignored it. But it is easy to see why people can get sucked into opening up this particular piece of malware. It looks real, with "comments" culled from your friends list (and let's face it, there are people out there who probably are worried about shocking video footage of themselves showing up on YouTube).

 


The virus being used is Trojan.FakeAV.LVT. According to MalwareCity.com, if you click on the video link, you are prompted to download a new version of Flash. The article said:

 

While you think that you are downloading a Flash Player, you are in fact welcoming a Trojan on you PC that will shortly start wreaking havoc on your system. The malicious code hides under the innocent name and appearance of a Flash Player. It copies itself as %windir%services32.exe and as %windir%update.Xsvchost.exe, where update is a hidden directory and X is the version of the malware. After that, it adds a registry key in %SYSTEM% and the malicious code is added thus to the list of authorized applications for the firewall or it disables the firewall altogether.

Then it proceeds to disabling all notifications generated by the firewall, the update module and whatever antivirus it finds installed on the PC. Yes, you've got it right, it strips you off whatever protection you have in place.

And when the Fake AV asks you to reboot your system to update, it wipes your real AV totally off your system and replaces it with a replica that does a good job of imitating the top AV products out there. And as BitDefender told me:

After the genuine antivirus solution been stripped off and replaced, the downloader and bot components of the rogue AV allow the cyber-criminal gang behind this operation to use the infected computer for a wide range of purposes that are constantly expanded through the use of malicious plug-ins.

Bottom line, the only shocking thing about this video is what it does to your computer system if you click on it.



Add Comment      Leave a comment on this blog post
Sep 25, 2011 8:11 AM Octavian Paler Octavian Paler  says:

That's some advanced malware right there, I didn't know there was such a thing as a "copycat kit" for copying off the alerts produced by legitimate antivirus products, very elaborate and tricky, I better warn my mom about this and install an antispyware program on her computer since she browses Facebook a lot.

Reply

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

null
null

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.