Fraud AV (ThinkPoint) not detected by Mbam

[Virus Guy]

A co-worker brings in her PC yesterday. Apparently her SO was
web-surfing early yesterday morning and stumbled upon one of those fake
AV-scan web-pages, and must have accepted the download and install.
After that, it didn't want to boot properly (this is XP, either sp2 or
sp3).

When booted up, a program called "ThinkPoint" ran and basically wanted
you to buy a license, giving you no real access to the computer.

We removed the drive and slaved it to a known/good PC running XP-SP3 and
NAV 2002. I updated the NAV definitions to yesterday's release (Nov 29)
and scanned the entire drive - it found nothing.

I then downloaded and installed Mbam on the known/good PC, updated it,
and it also found nothing when scanning the slaved drive.

I then searched the computer for "hotfix.exe", found it and moved it off
the drive (I have a copy of it). The computer then ran fine.

I uploaded hotfix.exe to virustotal and it was detected by 13 out of 43
apps. Strange that symantec was listed on VT as a positive hit, but
it's not detected by the Nov 29 NAV definition download. The machine in
question does run mcaffee, but it didn't detected it either.

So much for modern AV software...

I then got into a typical debate with another co-worker watching all
this (he's an apple fanboi). Naturally he laughs when ever this happens
to a win-PC. My position is that I don't see why a mac user, when
presented with a suitably-crafted web page purporting to be the
computer's own AV scanner, that the user couldn't also be tricked into
saying yes, ok, and yes - and hence infect his mac with one of these
fake av programs.

Does this phenomena not exist in the MAC world? Is there something
about the mac that would make it more difficult or impossible to
socially engineer the mac user into being tricked into downloading and
installing a piece of rogue software?

 

[David W. Hodgins]

Does this phenomena not exist in the MAC world? Is there something

Mac OSX is based on linux. In theory, it could happen, if the user
is tricked into entering the root user's password, and the virus
was specifically written to run on that OS.

In reality, while some viruses have been written for mac/linux, there
are none in the wild, that work.

The anti virus programs that will run on a linux or mac system, are
designed to catch windows viruses, on the assumption the files will
eventually be going to a windows system.

First, there are very few attempts to write viruses for linux/mac.

The user does not have write access to the system executables,
without entering the root password (unless, the user has chosen
to override that).

When a privilege escalation bug is found, it gets fixed within
days, not months.

Also, linux and mac systems configurations vary a lot more from
one system to another. An exploit that works on on particular
system, is unlikely to work on most others. Linux was designed
to be a secure multi user, networked system, from the start.
Windows was designed as a single user system, with multi user
and network support added later. The windows os is not secure
without many third party applications, to try and protect it,
and time wasted scanning every file that gets opened.

There are some java/pdf exploits, that will work on linux/mac,
but since the malware is designed to run on windows, they have
little, or no impact. If they were designed to run on linux/mac,
they would still have very little impact, due to the way the
systems are designed.

A linux/mac system can still get hacked, if the owner doesn't keep
it updated, or has badly written scripts running in a web server.
A standard desktop system, that doesn't have things like a web
server open to the internet, is unlikely to get hacked.

Regards, Dave Hodgins

 

[Slarty]

My position is that I don't see why a mac user, when
presented with a suitably-crafted web page purporting to be the
computer's own AV scanner, that the user couldn't also be tricked into
saying yes, ok, and yes - and hence infect his mac with one of these
fake av programs.

But, according to you, the victim was bamboozled by a rogue web page not
'the computers own AV scanner'.

He, apparently, downloaded, installed, and then ran an entirely unknown
application. Does he often do that? Had he no AV running already? Like to
bet how long it will be before he gets hit again?

 

[David W. Hodgins]

Mac OS X is based on Unix.

My mistake. I knew it was based on freebsd, which I thought was a linux
version, but it is an os that works like unix. Thanks for the correction.

Regards, Dave Hodgins

 

[FromTheRafters]

A co-worker brings in her PC yesterday. Apparently her SO was
web-surfing early yesterday morning and stumbled upon one of those fake
AV-scan web-pages, and must have accepted the download and install.
After that, it didn't want to boot properly (this is XP, either sp2 or
sp3).

First point of failure - the user. )

When booted up, a program called "ThinkPoint" ran and basically wanted
you to buy a license, giving you no real access to the computer.

We removed the drive and slaved it to a known/good PC running XP-SP3 and
NAV 2002. I updated the NAV definitions to yesterday's release (Nov 29)
and scanned the entire drive - it found nothing.

I then downloaded and installed Mbam on the known/good PC, updated it,
and it also found nothing when scanning the slaved drive.

I then searched the computer for "hotfix.exe", found it and moved it off
the drive (I have a copy of it). The computer then ran fine.

Eventually you will probably want to remove the rest of the installation (other
files, registry changes, etc...)

I uploaded hotfix.exe to virustotal and it was detected by 13 out of 43
apps. Strange that symantec was listed on VT as a positive hit, but
it's not detected by the Nov 29 NAV definition download. The machine in
question does run mcaffee, but it didn't detected it either.

They create new ones of these at an alarming rate in an attempt to make use of
the lag time between discovery and definition distribution.

So much for modern AV software...

It is their major weakness, and the malware writers know this.

I then got into a typical debate with another co-worker watching all
this (he's an apple fanboi). Naturally he laughs when ever this happens
to a win-PC. My position is that I don't see why a mac user, when
presented with a suitably-crafted web page purporting to be the
computer's own AV scanner, that the user couldn't also be tricked into
saying yes, ok, and yes - and hence infect his mac with one of these
fake av programs.

You're absolutely right, *any* OS that allows the user to run programs of his or
her choice, can fall victim to the user making a bad choice. There is nothing
special about Linux or Mac.

Does this phenomena not exist in the MAC world?

Yes, there are some trojans that target non-MS systems. In fact, there may be
some "bad sites" that detect which OS you are running when you visit, and serve
you the malware crafted for that system (just not nearly as many as there is for
Windows machines).

Is there something
about the mac that would make it more difficult or impossible to
socially engineer the mac user into being tricked into downloading and
installing a piece of rogue software?

Yes, and modern Windows OSes have some too (but the Windows wieners complain
about it and now can easily defeat it - mostly because they are used to not
having such security, and MS backed down on their insistence that users adopt
good practices).

 

[David Arnstein]

Does this phenomena not exist in the MAC world? Is there something
about the mac that would make it more difficult or impossible to
socially engineer the mac user into being tricked into downloading and
installing a piece of rogue software?

The other posters to this thread have some valid points, but I don't
think that either Linux or OSX is as bullet-proof as they believe.

The particular attack that you describe involves a trick that causes
the victim to install rogue software. I am switching to OSX now, and
it is clear to me that it is fully vulnerable to this sort of social
engineering.

In getting started with OSX, I am constantly installing software,
updating software, and configuring software. Every one of these
operations requires me to type my password into a dialog box. I can
almost do it in my sleep. This is exactly the situation where your
attack would be a success. I like to think that I am smart, but I
might type that password into a "rogue" dialog box some day. At warp
speed, too!

The reason that these attacks don't occur in the Apple world is that
OSX users are relatively rare. Let me put it a different way. Windows
users are so plentiful that there is no business case for developing
malware for OSX. I speculate that even if OSX becomes a huge minority
operating system (40% of installed desktops, for example) it will not
become a target. There will still be enough Windows targets to shoot
at. Why spend money developing malware for a different platform?

 

[Virus Guy]

The particular attack that you describe involves a trick that
causes the victim to install rogue software. I am switching
to OSX now, and it is clear to me that it is fully vulnerable
to this sort of social engineering.

In getting started with OSX, I am constantly installing
software, updating software, and configuring software.
Every one of these operations requires me to type my password
into a dialog box. I can almost do it in my sleep. This is
exactly the situation where your attack would be a success.

But that is not the typical OSX use-case situation.

The typical situation is that OSX is pre-installed on the mac computer
purchased by the end-user.

I keep hearing that you have to always enter a password when installing
software. What about running a piece of software? What is the
difference between running a piece of software vs installing it?

On a windows machine, you can "install" a program (such that new
directories are created, new registry entries are created, dll's are
possibly registered, shortcuts appear on the desktop, etc etc) but you
can also run a program without all that fan-fare. Is it somehow
different in OSX? Can the user not be tricked into strategically
clicking the OK button in order to launch a piece of code that some
java-based webpage plastered infront of the user's eyes?

Or is this pesky password requirement always ever-present? And even if
it was - who's to say that mac users who don't know any better wounldn't
enter that pesky password because they feared for their computer's very
life, and felt compelled that they must do it in order to save their
system?

Or is it the case that installing software on a mac is truly a foreign
concept for most mac users, because (as my apple fanboi co-worker always
says about apple products) - it just works. As in - it does everything
I want out of the box - you never have to go looking for this codec or
that driver.

Remember, I'm not talking about system vulnerabilities that a mac or OSX
may or may not have compared to windoze. I'm wondering why mac's don't
seem to be vulnerable (or as vulnerable) to the user performing malware
installation under the influence of FUD (fear, uncertainty, dread) as
the result of encountering a suitably-crafted web-page.

The answer can't be about numbers (that there are way more windoze PC's
compared to MAC's). If you can write malware with the goal that the
user will let it get onto the system through the front door without you
needing to leverage a system vulnerability, then that's a huge hurdle
that's gone, so why not code different versions of your fake AV scanner
(one for windoze, one for mac) and then let your scary web-code do the
rest. ?

 

[FromTheRafters]

The other posters to this thread have some valid points, but I don't
think that either Linux or OSX is as bullet-proof as they believe.

The particular attack that you describe involves a trick that causes
the victim to install rogue software. I am switching to OSX now, and
it is clear to me that it is fully vulnerable to this sort of social
engineering.

In getting started with OSX, I am constantly installing software,
updating software, and configuring software. Every one of these
operations requires me to type my password into a dialog box. I can
almost do it in my sleep. This is exactly the situation where your
attack would be a success. I like to think that I am smart, but I
might type that password into a "rogue" dialog box some day. At warp
speed, too!

The reason that these attacks don't occur in the Apple world is that
OSX users are relatively rare. Let me put it a different way. Windows
users are so plentiful that there is no business case for developing
malware for OSX. I speculate that even if OSX becomes a huge minority
operating system (40% of installed desktops, for example) it will not
become a target. There will still be enough Windows targets to shoot
at. Why spend money developing malware for a different platform?

Even before malware's commercial potential was realized, virus writers could
hardly wait for new environments to target. It was a challenge - and malcoders
just love a challenge. I predict that very soon we will start seeing more Mac
and Linux malware as Windows becomes just that little bit harder to compromise
due to practical enforcement of least privilege.

 

[Virus Guy]

But, according to you, the victim was bamboozled by a rogue web
page not 'the computers own AV scanner'.

Yes, because most people are not accustomed to seeing their own AV
scanner go ape-shit in the middle of a web-surfing session and set the
sirens blazing that a few dozen virii have just been discovered.

When people see this fake-AV java code being executed in their web
browser, they think it's the real thing. They really do. And they
follow the instructions given to them.

And do you know why? Because real AV programs are so pathetic at
detecting real pieces of viral (or trojan) code, so users never get to
see what a real "virus detected" message looks like.

He, apparently, downloaded, installed, and then ran an entirely
unknown application. Does he often do that?

You have no clue as to the level of savvy-ness that most windows users
have, do you?

Had he no AV running already?

The system had mcaffee. It just sat back and watched all this go down.

Like to bet how long it will be before he gets hit again?

Until this particular fake-av executable becomes incorporated into more
than just a pathetic handful of real AV software definition files, it
will certainly happen to other people.

 

[Virus Guy]

Eventually you will probably want to remove the rest of the
installation (other files, registry changes, etc...)

In this case, there was really hardly anything else (I was expecting all
sorts of accessory files, altering system files, tons of registry
entries, etc). There was one or two auto-run registry entries, but
nothing else.

It is their major weakness, and the malware writers know this.

I wonder why the java code that starts this whole thing going (the
simulated AV scanner displayed in the web-browser) I wonder why that
code can't be heuristically detected and quarantined so that the user
never sees it in action - and hence is not tricked into downloading and
running the mal-code. ?

 

[David W. Hodgins]

different in OSX? Can the user not be tricked into strategically
clicking the OK button in order to launch a piece of code that some

After the file has been downloaded, the file's attributes must
be changed, so that it can then be executed. Newly created or
downloaded files do not get that attribute set (with any of the distributions I've seen, although a user could change the default,
if they really wanted to).

On linux, "chmod u+x $filename", then you can run the program
with "./$filename". Even then, it can only modify files owned
by that user, not any of the executables in the rest of the
system.

Normally third party binary only files, such as opera, are
installed using a "package", that contains all of the files
needed (with the proper attributes set). Installing those
requires the root user's password.

Most package installs come from the linux distributions
repositories, and have digital signatures to ensure they have not
been tampered with, or corrupted during download.

Regards, Dave Hodgins

 

[David W. Hodgins]

Even before malware's commercial potential was realized, virus writers could
hardly wait for new environments to target. It was a challenge - and malcoders
just love a challenge. I predict that very soon we will start seeing more Mac
and Linux malware as Windows becomes just that little bit harder to compromise
due to practical enforcement of least privilege.

Perhaps, but I doubt it. Most malware now is done by organized
crime, to make money.

It's very rare that I see any new malware that isn't about stealing
info for identity theft (cleaning out a bank account, etc.), or
control of the system or online accounts for botnet/spamming usage.

Regards, Dave Hodgins

 

[David W. Hodgins]

Yes, because most people are not accustomed to seeing their own AV
scanner go ape-shit in the middle of a web-surfing session and set the
sirens blazing that a few dozen virii have just been discovered.

Linux/Mac users know they're system's don't have a virus scanner,
so they would be much, much, less likely to fall for this. Keep
in mind, this is a big factor, in why many people switch to mac,
or linux. Even if they did, everything that's in the wild is
designed for windows, so it won't do anything.

I currently support half a dozen friends and family members linux
systems. They know there is no virus scanner, and that such
pop ups are fake. In addition, they don't know, or care, how to
install software, as everything they need, is in the system already.
They just want a system that works. Once it's setup, mac or linux
do that.

I have found windows viruses had been downloaded to one of the
system's desktop, when a "friend", had been using their computer
to surf porn sites. Didn't do any damage, and just provided me
with a sample to examine.

There systems are clones of my own. I tend to install just about
everything, as I like to explore, and experiment, and develop.

[dave@hodgins ~]$ locate bin/|wc -l
14949
[dave@hodgins ~]$ ll /usr/games/|wc -l
72

That's 15,021 executable programs and scripts, on this system,
not counting ones that are run under the control of a local web
server, for applications such as webmin.

I use remote access (ssh), to ensure updates are installed, on
their systems.

Regards, Dave Hodgins

 

[FromTheRafters]

In this case, there was really hardly anything else (I was expecting all
sorts of accessory files, altering system files, tons of registry
entries, etc). There was one or two auto-run registry entries, but
nothing else.


I wonder why the java code that starts this whole thing going (the
simulated AV scanner displayed in the web-browser) I wonder why that
code can't be heuristically detected and quarantined so that the user
never sees it in action - and hence is not tricked into downloading and
running the mal-code. ?

One that I saw (and there are many many different versions being served) used
script in an HTML document to call a supplied javascript that de-obfuscated some
crap in the original HTML document which in turn (when de-obfuscated and saved
to disk in the temp) called another script to call again the orginal HTML (which
was now saved as original[2].htm and not obfuscated) and that HTML also called a
remote script which started the "AV8 has detected bad things and will scan your
computer" [OK] [X] (where OK and X both cause the now ready script to run). The
temp file has gifs for the security icons and 1 or more script files and 1 or
more HTML documents that all work together to build the social engineering
display.

I have used my radio on/off toggle to enable me to run the scripts up to the
point that they ask me to download the actual malware - I click to download and
it fails silently - but I have captured all of the lead-up social engineering
obfuscated code. The reason I don't want to just let it download is because
there may be software exploits being served from there also.

The files in temp are never exactly the same, and so are very hard to detect
programmatically, and this is just the non-malicious display to get them to
download the *actual* malware.

 

[RayLopez99]

The other posters to this thread have some valid points, but I don't
think that either Linux or OSX is as bullet-proof as they believe.

The particular attack that you describe involves a trick that causes
the victim to install rogue software. I am switching to OSX now, and
it is clear to me that it is fully vulnerable to this sort of social
engineering.

In getting started with OSX, I am constantly installing software,
updating software, and configuring software. Every one of these
operations requires me to type my password into a dialog box. I can
almost do it in my sleep. This is exactly the situation where your
attack would be a success. I like to think that I am smart, but I
might type that password into a "rogue" dialog box some day. At warp
speed, too!

The reason that these attacks don't occur in the Apple world is that
OSX users are relatively rare. Let me put it a different way. Windows
users are so plentiful that there is no business case for developing
malware for OSX. I speculate that even if OSX becomes a huge minority
operating system (40% of installed desktops, for example) it will not
become a target. There will still be enough Windows targets to shoot
at. Why spend money developing malware for a different platform?

This was such an excellent post that I cross-post it into C.O.L.A.,
where the fanbois think Linux is immune. I apologize in advance for
the inevitable flame war that will result. Yes, the reason Linux is
"immune" from viruses is due to its 1% (or less) market share, not
because of anything really special in the OS.

RL

Original post here:

A co-worker brings in her PC yesterday. Apparently her SO was
web-surfing early yesterday morning and stumbled upon one of those
fake
AV-scan web-pages, and must have accepted the download and install.
After that, it didn't want to boot properly (this is XP, either sp2 or
sp3).

When booted up, a program called "ThinkPoint" ran and basically wanted
you to buy a license, giving you no real access to the computer.

We removed the drive and slaved it to a known/good PC running XP-SP3
and
NAV 2002. I updated the NAV definitions to yesterday's release (Nov
29)
and scanned the entire drive - it found nothing.

I then downloaded and installed Mbam on the known/good PC, updated it,
and it also found nothing when scanning the slaved drive.

I then searched the computer for "hotfix.exe", found it and moved it
off
the drive (I have a copy of it). The computer then ran fine.

I uploaded hotfix.exe to virustotal and it was detected by 13 out of
43
apps. Strange that symantec was listed on VT as a positive hit, but
it's not detected by the Nov 29 NAV definition download. The machine
in
question does run mcaffee, but it didn't detected it either.

So much for modern AV software...

I then got into a typical debate with another co-worker watching all
this (he's an apple fanboi). Naturally he laughs when ever this
happens
to a win-PC. My position is that I don't see why a mac user, when
presented with a suitably-crafted web page purporting to be the
computer's own AV scanner, that the user couldn't also be tricked into
saying yes, ok, and yes - and hence infect his mac with one of these
fake av programs.

Does this phenomena not exist in the MAC world? Is there something
about the mac that would make it more difficult or impossible to
socially engineer the mac user into being tricked into downloading and
installing a piece of rogue software?

 

[Peter Foldes]

See the following

http://www.vupen.com/english/searchengine.php?keyword=ubuntu

and

http://www.vupen.com/english/searchengine.php

 

[RayLopez99]

Well only the idiots think its immune. Like the concept of a consistent
UI many COLA "advocates" seem not to understand the concept of social
engineering and how people can be tricked into installing garbage. It
happens millions of times a day now with Android apps. Almost no one
gets the source to see just what exactly these phone apps (which do
prompt for permission to access critical/secure resources at install
time) do with the data they are granted access to.

Good point Hadron, as usual. And if not source code access, at least
a warranty by the company that they will not sell your data is nice.
But most of the time people just click past these notices. For
example, if you bank via internet, you actually give up a bit of
protection afforded by banking via paper copies at some banks. A law
passed in the 1950s gives you two months to complain from the date you
receive the paper statement about a fraudulent transaction, but if you
forgo paper you sometimes get less protection (like 1 month).

RL

 

[Resident Analyst]

A co-worker brings in her PC yesterday. Apparently her SO was
web-surfing early yesterday morning and stumbled upon one of those
fake AV-scan web-pages, and must have accepted the download and
install. After that, it didn't want to boot properly (this is XP,
either sp2 or sp3).

When booted up, a program called "ThinkPoint" ran and basically wanted
you to buy a license, giving you no real access to the computer.

One of my customers just got the Thinkpoint trojan and I removed it in ten
minutes using system restore.
I usually do it the normal way but this one completely took over the system.

We removed the drive and slaved it to a known/good PC running XP-SP3
and NAV 2002. I updated the NAV definitions to yesterday's release
(Nov 29) and scanned the entire drive - it found nothing.

NAV 2002?

Bahahahaha! We're nearly in 2011 now.

Nortons was crap at the best of times.

Thanks for the good laugh.

 

[FromTheRafters]

One of my customers just got the Thinkpoint trojan and I removed it in ten
minutes using system restore.
I usually do it the normal way but this one completely took over the system.


NAV 2002?

Bahahahaha! We're nearly in 2011 now.

Nortons was crap at the best of times.

Thanks for the good laugh.

He a Windows 98 enthusiast, and 2002 still works.

 

[Virus Guy]

NAV 2002?

Bahahahaha! We're nearly in 2011 now.

Nortons was crap at the best of times.

Thanks for the good laugh.

By running Symantec's "Intelligent Installer", I'm able to use NAV 2002
as an on-demand scanner that is just as competent as the most current
version of any Symantec / Norton product. The Intelligent Updater is a
rather large definition package (it's running about 95 mb these days)
and it contains malware definitions for several different symantec
products.

So regardless of what you think about Symantec's malware-detection
capabilities as far as simple file-scanning goes, it makes me laugh that
only 13 out of 43 malware-detection products (on Virus Total) actually
did flag the file as suspect. And Kaspersky was not one of them.

And neither did Mbam detect the file in question.