Win 8 Security System FakeAV with Rootkit discovered in the wild

September 7, 2012

Dell Sonicwall UTM research team have discovered a new FakeAV malware in the wild called Win 8 Security System. FakeAV malware of this nature has been covered before in a previous sonicalert. However, this FakeAV malware is different in that it deploys a rootkit driver as part of its infection process. This makes the malware very difficult to remove.

Although the sample we obtained failed to show any pop-up dialogs we were able to gain information about its intentions through our analysis.

The Trojan uses the following icon:

Upon infection, the Trojan deletes itself. It then makes the following changes to the filesystem

It copies itself to:

  • %APPDATA%72706355694bcd40.exe [Detected as GAV: FakeAV.WN8 (Trojan)]

It drops a rootkit to:

  • %WINDOWS%system32drivers2a236245d0309b5.sys [Detected as GAV: Rootkit.X (Trojan)]

The file attributes of the rootkit are set to protect it from modification or deletion even in safe-mode.

It adds the following key to the Windows registry to enable startup after reboot:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun "%APPDATA%72706355694bcd40.exe"

A sample of keys added to register the rootkit driver:

  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_2A236245D0309B5000 Service "2a236245d0309b5"
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_2A236245D0309B5000 Legacy dword:00000001
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_2A236245D0309B5000 ConfigFlags dword:00000000
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_2A236245D0309B5000 Class "LegacyDriver"
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_2A236245D0309B5000 DeviceDesc "2a236245d0309b5"
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_2A236245D0309B5000Control ActiveService "2a236245d0309b5"
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_9DC9B000 DeviceDesc "72706355694bcd40.exe"

The following HTML pages were extracted from the 72706355694bcd40.exe executable during analysis. The pages are used to hook into various browsers such as Internet Explorer and Google Chrome and produce a fake security alert:

We also extracted the following landing pages from the executable:


The following screenshot is from the payment landing page:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: FakeAV.WN8 (Trojan)
  • GAV: Rootkit.X (Trojan)