McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Create Account | Login  | What is TrustedSource?
 
Home  Threats and Trends  McAfee Research Blog
TrustedSource™ Query
Enter IP address, domain name or URL to check reputation/traffic patterns:
Search
 


Latest Malware Threats
 RSS Feed
Win32.Weird.e2010-02-02
Win32.Tolone2010-02-02
Worm.IrcBot.14786562009-12-10
Trojan.Drop.Agent.poa.22009-12-10
Trojan.Magania.1059882009-12-08
Trojan.PSW.Frethog.AJ.22009-12-08
View Malware Library
 


McAfee Research Blog

Fake Alerts Uncovered

July 2nd, 2009

It has been almost a year since the rogue anti-virus products, a.k.a. scareware, became rampant.  These Trojan families are typically spread via drive-by downloads, search-engine-optimization poisoning, spam campaigns, and clever social engineering.
Having these methods discussed in earlier blogs, today we will look into the protection mechanisms adopted by these fake alerts Trojan families to evade detection from antivirus vendors.

  • Code obfuscation using junk instructions

In the above screenshot, lots of junk code is visible between valid instructions. Usage of junk instructions is being used widely across Fake Alert families.

  • Fake API calls

The screen shot shows the usage of API called SetArcDirection which is not necessary in the code. These kinds of unnecessary APIs are used by malware to defeat emulation. Sometimes, API calls that don’t exist are also used by these families to check if they are being emulated.

  • Customized packer

Lot of fake alert families uses their own custom packers, encryption routines.  Some of the families patch the existing packers.

  • Use of XMM and MMX instruction sets

Usage of XMM, MMX and FPU instructions which are not needed in the code along with the other junk code are also utilized by most of the fake alert families.

The techniques discussed above are not something very new and has been used in notable malware. But fake alert Trojans use these evasion techniques to there full potential with every new variant. Just when we thought we’re seeing a decline in adware and spyware – fake alert Trojans families have stepped in to claim the scum of the Internet tag.

Back to McAfee Research Blog overview

McAfee Homepage | Contact | Privacy Policy

Copyright © 2007-2009 McAfee, Inc. All Rights Reserved.

ANY INFORMATION PROVIDED BY MCAFEE ON THIS BLOG ARE OFFERED "AS IS" WITH NO EXPRESS OR IMPLIED WARRANTIES, CLAIMS, PROMISES OR GUARANTEES ABOUT THE ACCURACY, COMPLETENESS, OR ADEQUACY OF THE INFORMATION CONTAINED IN OR LINKED TO AND NO RIGHTS ARE CONFERRED. BY USING THIS BLOG, YOU ASSUME ALL RISK FOR YOUR USE. IN NO EVENT WILL MCAFEE BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, INCIDENTAL, EXEMPLARY, OR OTHER DAMAGES WHETHER OR NOT MCAFEE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE. MCAFEE HAS NO OBLIGATION TO POST BLOG SUBMISSIONS OR RESPONSES.