Re: how does fake antivirus work?

[Joe St Sauver <joe () OREGON UOREGON EDU>]

Bob asked:

#The "SANS Securing The Human Program" training module #2 about Social
#Engineering demonstrates that fake antivirus programs fool you into going
#through the installation process to load their malware onto your computer. 
#Locally, I am hearing the assertion  that fake AV is not nearly that gentle,
#that your computer is instantly and automatically compromised as soon as you 
#go to their website, the process of installing their fake product can be 
#just as fake as the process of evaluating your computer for current 
#infections. 
#
#What is the range of how fake AVs really work?  Do some cajole you into 
#installing their code while others silently inject their code automatically?

The fake A/V products I've seen most commonly like to use Flash to display
a fake "live" scan of your system (always funny when you see this on a 
Mac -- didn't know I even had a C drive -- oh wait, that's because I 
don't. :-)).

After the fake "live" scan "completes" (wow! that was fast!), you'll then 
typically be given the opportunity to download a "tool" to "fix" the 
"problems" that have been "found."

Clicking pretty much anywhere typically will be sufficient to trigger that
download, normally an exe from some third party download site. If you run
tha exe through VirusTotal or a similar sandbox, it will invariably be
tagged as malicious by one or more products, although others will routinely
miss it (sigh). 

As to whether the payload autolaunches or requires the user to manually
cooperate in being 0wn3d, that often depends on the browser and OS that 
the user is running. One of my favorite resources to help people understand
the vulnerabilities that exist in many browsers has been 
http://ha[dot]ckers[dot]org/xss.html , which focuses on Cross Site Scripting
issues. It doesn't look like that page has been updated recently for the
latest versions of popular browsers, but it does give you an idea of just 
how little it can take to have random content accessed via a web page. 

Of course, basic steps (like disabling scripting in the browser) would 
help tremendously in many cases, but since that breaks all the cool
applications that rely on scripting (such as much of what Google offers),
folks are reluctant to do that. You can try giving users more granular
control over scripting (such as via NoScript), but some users may 
find it overly complex, and quickly end up either blocking stuff that
they shouldn't, or permitting stuff that they shouldn't. 

Regards,

Joe St Sauver (joe () oregon uoregon edu)
http://pages.uoregon.edu/joe