Win 8 Security System FakeAV with Rootkit discovered in the wild
Dell Sonicwall UTM research team have discovered a new FakeAV malware in the wild called Win 8 Security System. FakeAV malware of this nature has been covered before in a previous sonicalert. However, this FakeAV malware is different in that it deploys a rootkit driver as part of its infection process. This makes the malware very difficult to remove.
Although the sample we obtained failed to show any pop-up dialogs we were able to gain information about its intentions through our analysis.
The Trojan uses the following icon:
Upon infection, the Trojan deletes itself. It then makes the following changes to the filesystem
It copies itself to:
- %APPDATA%72706355694bcd40.exe [Detected as GAV: FakeAV.WN8 (Trojan)]
It drops a rootkit to:
- %WINDOWS%system32drivers2a236245d0309b5.sys [Detected as GAV: Rootkit.X (Trojan)]
The file attributes of the rootkit are set to protect it from modification or deletion even in safe-mode.
It adds the following key to the Windows registry to enable startup after reboot:
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun "%APPDATA%72706355694bcd40.exe"
A sample of keys added to register the rootkit driver:
- HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_2A236245D0309B5�000 Service "2a236245d0309b5"
- HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_2A236245D0309B5�000 Legacy dword:00000001
- HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_2A236245D0309B5�000 ConfigFlags dword:00000000
- HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_2A236245D0309B5�000 Class "LegacyDriver"
- HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_2A236245D0309B5�000 DeviceDesc "2a236245d0309b5"
- HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_2A236245D0309B5�000Control ActiveService "2a236245d0309b5"
- HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_9DC9B�000 DeviceDesc "72706355694bcd40.exe"
The following HTML pages were extracted from the 72706355694bcd40.exe executable during analysis. The pages are used to hook into various browsers such as Internet Explorer and Google Chrome and produce a fake security alert:
We also extracted the following landing pages from the executable:
- http://st777st.com/z.php?ver=2
- http://win8sec.com/?do=payment&ver=2
- http://win8sec.com/?do=minicontact&ver=2
The following screenshot is from the payment landing page:
SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:
- GAV: FakeAV.WN8 (Trojan)
- GAV: Rootkit.X (Trojan)