Yesterday’s release of Windows 7 brings with it a different playground for malware.
If reviewer predictions are realized, the platform will overtake Windows XP as the Windows OS of choice in high volume. Which provides a whole new platform of interest and attention from money making malware writers. It is inevitable that they will shift their attention to the newest defenses implemented in the most widely deployed platform.
The most common single piece of malware run on Windows 7 Rtm systems, as observed in the ThreatFire Community to-date, has been Protection System FakeAv variants and its droppers. The dropper is usually a part of a crack or keygen distributed at crack sites and over P2P. It drops out multiple other unwanted components, including the FakeAv. It is a common thing to have seen in the past on other platforms. What is different here, is that User Account Control, a feature introduced in Windows Vista, has been reviewed and modified, newly delivered with 7.
At runtime, the Windows 7 related scareware files are dropped to disk and the dropper creates some porn-related shortcuts on the desktop. The offending dropper makes registry key creations to ensure persistence across reboots without a peep from UAC in its default settings, even when logged in as a Standard User. Another executable responsible for many of the popups is copied to the profile directory. A phony scan is kicked off (thousands of pieces of malware were stored on the system and all were not detected), and two hard coded detections are displayed. And no, there isn’t a legitimate vendor that maintains malware family names as variants of “GayCodec”:
Multiple pop-ups appear for phony malware detections and payment/activation. All without a peep from Windows 7 UAC. At reboot, the malware persists, restarts, and performs its worthless rescan again, this time spoofing messages from the Windows firewall with a randomized list of malware that are not running on the system:
It’s reported to attempt uninstall on other security products, which was not observed on lab machines.
All in all, the release seems to be a hit. As volume picks up, most likely so will Windows 7-targeting malware. Users should be aware of scams like this one and always purchase software from legitimate vendors. And install a behavioral layer of protection over and above UAC on your system like ThreatFire, which runs well on Windows 7 and keeps your system protected.
It really seems a step backward. My main concern is why standard/limited user is still affected as we know, even on xp, that using this kind of account protects against many malware. (limit infection only, doesn’t protect against data theft)
Have you test with a software restricted policy like http://mechbgon.com/srp/ ?
Thanks for your interest. Agreed, it may seem like a step backwards.
You might classify this malware more in the “data theft” and “fraud” category. Users are protected from this breed of rogueware/scareware/fakeav on Windows 7 by ThreatFire.
It sounds from your description as if the program is using user keys (HKCU) and not system keys, which is why it can do all this without UAC intruding. You’re in a position to see this, not us, so it would be useful for you to say if it’s the case.
Syaing “It’s reported to attempt uninstall on other security products, which was not observed on lab machines” is a nice way of implying that it can do more than it really can. Of course it can’t uninstall your security software without either admin privileges or UAC or both.
@Larry-
Good points, thanks for your comment.
Regarding the abuse of HKCU to circumvent UAC, yes, that in part is what is going on. Nothing hidden here, you are in a position to review the behavior of the malware, because example ThreatExpert report links are included in the post for interested technical folk like you. You can look in the post for the link in “Protection System FakeAv variants” and you’ll find the information that you may be seeking.
It is relevant because this sort of UAC evasion is mentioned on multiple “underground” blackhat interest forums. It sells.
And the intent of the message regarding the reported uninstall behavior was not to imply anything misleading about its behavior on Windows 7. It’s the opposite. There are reports on the web that make no distinction in the malware’s ability to uninstall security software per OS, so the clarification that the behavior was not observed on Win7 in the lab was made.
Thanks again!
Just curious, if a standard “line of business” Software Restriction Policy (SRP) is in place and the attacked user is non-admin is the attack successful?
SRP should prevent the user from writing where they can execute or executing where they can write, it should also block most registry writes. This is reasonably good protection from web based attacks and protects against many hacked/cracked installs. Does it still work in win7?
@iTinker-
No, someone like my mom doesn’t have a standard “line of business” SRP for her computers, and I’m not sure it matters. She is running ThreatFire, finds it easy to use, and is confident that she can work and play online!