Yesterday’s release of Windows 7 brings with it a different playground for malware.
If reviewer predictions are realized, the platform will overtake Windows XP as the Windows OS of choice in high volume. Which provides a whole new platform of interest and attention from money making malware writers. It is inevitable that they will shift their attention to the newest defenses implemented in the most widely deployed platform.
The most common single piece of malware run on Windows 7 Rtm systems, as observed in the ThreatFire Community to-date, has been Protection System FakeAv variants and its droppers. The dropper is usually a part of a crack or keygen distributed at crack sites and over P2P. It drops out multiple other unwanted components, including the FakeAv. It is a common thing to have seen in the past on other platforms. What is different here, is that User Account Control, a feature introduced in Windows Vista, has been reviewed and modified, newly delivered with 7.
At runtime, the Windows 7 related scareware files are dropped to disk and the dropper creates some porn-related shortcuts on the desktop. The offending dropper makes registry key creations to ensure persistence across reboots without a peep from UAC in its default settings, even when logged in as a Standard User. Another executable responsible for many of the popups is copied to the profile directory. A phony scan is kicked off (thousands of pieces of malware were stored on the system and all were not detected), and two hard coded detections are displayed. And no, there isn’t a legitimate vendor that maintains malware family names as variants of “GayCodec”:
Multiple pop-ups appear for phony malware detections and payment/activation. All without a peep from Windows 7 UAC. At reboot, the malware persists, restarts, and performs its worthless rescan again, this time spoofing messages from the Windows firewall with a randomized list of malware that are not running on the system:
It’s reported to attempt uninstall on other security products, which was not observed on lab machines.
All in all, the release seems to be a hit. As volume picks up, most likely so will Windows 7-targeting malware. Users should be aware of scams like this one and always purchase software from legitimate vendors. And install a behavioral layer of protection over and above UAC on your system like ThreatFire, which runs well on Windows 7 and keeps your system protected.
