English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Brazilian Masquerade

Dmitry Bestuzhev
Kaspersky Lab Expert
Posted February 05, 19:34  GMT
Tags: Internet Banking, Antiviruses, Social Engineering
0.3
 

What do you see here?

A free AV product protecting a Windows XP machine, right?

No, actually it’s malware – a Brazilian Trojan banker coming via email and then using a masquerade to stay in the system. The malware is 386Kb only, written in Delphi, and comes via an email together with a bunch of many other malicious and non-malicious files.

If the victim clicks on the system tray icon, he will get this message:

(Translation: Your Avast! Antivirus is being updated, wait.)

In some combinations it also shows messages like this one:

(Translation: Avast! antivirus: Attention, your system is protected)

Why do cybercriminals use such a method “to hide” their malware in the system? Google trends shows that Avast is the most popular AV in Brazil. And my experience of life in Latin America shows that people still don’t want to pay when there is something free.

Before dropping the mentioned fake Avast product, another module, based on the anti-rootkit product Avenger, tries to remove the following legitimate AV products from the system if they are installed: AVG, McAfee, Panda, Nod32, Kaspersky, Bitdefender, Norton, Microsoft Security Essentials, PSafe, Avira and Avast.

There are many malicious files used in the same campaign. They have different roles and are detected by Kaspersky Anti-virus as Trojan.Win32.Delf.ddir, Trojan.Win32.ChePro.aov, Trojan.Win32.ChePro.anv, Trojan-Banker.Win32.Delf.apg, not-a-virus:RiskTool.Win32.Deleter.i, Trojan-Banker.Win32.Agent.jst and Trojan.Win32.Delf.ddiq

Looks like cybercriminals from Brazil think this way: "Why to fight AV detections? Sometimes it's too complicated. Let's just better replace them with our own fake solutions and everybody gets happy".

Last, but not least, in addition to malware related to the mentioned campaign, we see more and more Trojan Bankers from Brazil coming with fake descriptions, pretending to be modules of different AV products.  Here’s one example:


Follow me on twitter @dimitribest

3 comments

Oldest first
Threaded view
 

Galoget Latorre

2013 Feb 11, 13:49
1
 

Good Post!

Hi Dmitry, good post, I have a question, what happens if the infected computer already have the legitimate Free AV? (And the malware was not detected...), Can this type of malware remove the legitimate AV or they stay together in the system with a duplicate tray icon?

Reply    

Dmitry Bestuzhev

2013 Feb 12, 16:11
1
 

Re: Good Post!

Hi,

Yes, it uses Avanger to remove any of the mentioned in the post AV and then install its "own one".

Reply    

mark117

2013 Mar 24, 01:47
0
 

Hi Dmitry Bestuzhev

Very Good Article.

will this be added to the list of Fake AV's over at the kaspersky support site, it has a pritty comprehensive list of Fake AV's,
here is the link for anybody who may be intrested in just how many Fake AV's there actually is out there at any given moment
http://support.kaspersky.com/viruses/rogue
and one more last thing,
To AnyBody reading this article, ["THERE IS NO SUBSITUTE!!! EXCEPT FOR A LEGITAMATE ANTIVIRUS"]
Like
Kaspersky PURE 3.0
link below
http://www.kaspersky.co.uk/pure?icid=PURE_bnr_hp_UK
Thank You
mark117

Reply    
If you would like to comment on this article you must first
login


Bookmark and Share
Share

Analysis

Blog