Halp Viruses

my little brony

Keep Being A Little Bitch
Oct 15, 2004
protip: those commercials on tv for finallyfast.com are not selling virus protection software, they're trying to get your grandmother to waste her social security check on shit she doesn't understand


. . first name's "Daisy" boys
May 12, 2008
Brandon, FL
Why do the worst computer viruses seem to come from companies that sell virus protection software?

Social engineering. They aren't actually even selling VPS. It's a fakeAV. Symantec Fake AV Entry.


It is obvious that the bad guys are making (serious?) money with this scamming scheme. There are couple of things interesting about rogue AV programs. First, the bad guys here do not use (in most cases) any sophisticated attacks on clients. They instead rely on visitors to wittingly install their "AV program". How do they do this? Through social engineering – they create web pages which are very authentic copy of legitimate screens in Windows operating systems. These web pages make visitors believe that their machine is infected with several malicious programs and that the offered "AV program" can help them clean it.

Once the rogue AV program is installed, the victim has to pay money to get it "working" or, in some cases to even uninstall it. So, the money making scheme is simple (some rogue AV versions even steal local data and install keyloggers).
In order to get people to visit their web sites serving rogue AV programs, the attackers use different vectors – they even follow news as only couple of hours after Patrick Swayze's death search engines were filled with bogus pages pointing to rogue AV programs.

The main reason, however, why rogue AV is so successful is its persistence and amount of details - the web page they use to scare the visitor looks almost exactly like Windows' Security Center.

I was, of course, interested to see what else they do so I decided to analyze the code behind. First of all, I must say that the code is very elegant and clean, it's obvious that the bad guys got a real programmer to code the page (and malware?) for them.

The web page uses JQuery, a well known and popular JavaScript library. After setting up the environment, the JavaScript code on the web page shows a fake scan of the machine with seemingly random file names. The file names are actually grabbed from a huge array contained in a separate file (flist.js). The file names in this array (there is 1100 of them) are actually copied from a Windows XP machine (C:WindowsSystem32 directory). This, of course, increases the authenticity of the scan.

After the scan finishes, the user is informed that the machine is infected with viruses. The JavaScript code on the web page initially set up some handlers, so no matter what the user does next he will see a window notifying him that his machine is infected (interesting, the attackers used JavaScript confirm() method to display this message).

Rogue AV warning

Of course, this wasn't generated by Windows – it's actually just an image the attackers created. The "Remove all" and "Cancel" also aren't real buttons, just part of the image which has a handler that will get executed wherever the user clicks. You guess, on a click it will try to download the Rogue AV program. To eliminate any confusion, they also show this nice window where they explain what exactly needs to be done in order to install their rogue AV program.

Rogue AV run info

It is now not strange that rogue AV programs are infecting so many machines. The devil is in the details, and the attackers made damn sure that all details are here to fool the potential victims.