Preview to a Possible Future of Rogue AV

Print Friendly, PDF & Email

Posted by: Barracuda Labs

Yesterday, Purewire’s Malicious Javascript Detection (MJD) engine identified the following malicious URL:

hxxp://unsoft.eu/hitin.php?affid=02992

The site uses a now ubiquitous social engineering lure: fake javascript-generated alerts that claim the user’s system is infected with malware.

 

If the user believes these alerts to be genuine, the following Rogue AV software (called “Privacy Center”) will end up installed on their system.

 

The above screenshots well-represent what Rogue AV looks like today. But what about the Rogue AV of tomorrow? The investigation of other malicious domains related to unsoft.eu yielded the discovery of one such future vision of rogue software.

The story of this vision begins at newtunesclub.com, which resolves to the same IP address as unsoft.eu. However, instead of serving the user fake pop-up scanners and alert notifications, the site claims to act as a media distribution portal.

 

In addition, unlike some rogue software operations, newtunesclub.com is well put-together and includes a functioning search engine. As an example, the top result of a search for “Troy” is the 2004 movie of the same name; clicking on the result presents the user with accurate release and cast information, a series of movie stills, and a link to download the movie.

 

Yet, instead of a large movie, a small executable is served when the user clicks on the Download button. This executable has the same icon as the Rogue AV software served off of unsoft.eu.

 

In addition, about half of the few VirusTotal detections identify the above Troy executable as Rogue AV:

http://www.virustotal.com/analisis/4f40e8bb48d660a8b3d13d19f401a2f831469e
aa7dd6607be872860d0c7ef1c3-1259366297

However, the similarities between these two binaries end at identical icons and similar AV detections. When Troy.exe is run, a larger executable is downloaded from the following location:

hxxp://iqmediamanager.com/download/0

This larger binary is automatically executed and installs an interesting type of rogue software (called “IQ Manager”) on the user’s system.

 

Before IQ Manager even attempts to connect outbound, a child window appears, stating that there are “no empty spots” in the “shared channel”, and that the user must “wait their turn” or “activate the VIP Channel”. Activation, of course, requires a credit card.

However, even if the user decides not to perform activation, the download proceeds.

 

Upon completion, the resulting file was indeed a playable copy of the 2004 movie Troy. Subsequent investigation into IQ Manager’s operation revealed that it acts as a BitTorrent client, using torrents offered by the popular tracker thepiratebay.org.

While current Rogue AV software offers the user almost nothing, newtunesclub.com and the IQ Manager software collectively provide a functional (if illicit) download service that will meet many users’ expectations. If this model proves financially successful for the criminals behind it, “pay for free” software could become a standard that forms the face of tomorrow’s rogue software.

Users of the PWSS are protected from this emergent threat.

Scroll to top
Tweet
Share
Share