Chris Mosby at myITforum.com

We pwn your Desktop!

A couple of weeks ago in this blog entry, we learned how misleading applications advertise themselves on the Web. Now we'll take a closer look at the other side of things to see how misleading applications infiltrate users' machines in order to convince people to download and purchase them.

We are used to seeing malware that uses all sorts of tricks to compromise a user's machine in order to steal valuable information or perform fraudulent activities. The purpose of all of this? Of course! Money! Why else would the miscreants otherwise make the effort of studying new tricks and developing new malware when they can simply convince users to give up their money spontaneously?

This is how it goes with misleading applications. They can appear in several ways, such as in downloaders or simply via browser advertisements: "Your computer is in danger!", "Get a better PC", or "Protect your pc from hackers!" are just a small example of the messages a user could be exposed to. Once the user is tricked into executing an installer, free scanner, or whatever (which can happen with or without the user's consent, by the way) then the show really begins! Any visual means of communication is used to warn the user of the terrible menace pending:

System tray:

Figures 1, 2, and 3: Examples of fraudulent system tray icons and balloons

Active desktop:

Figure 4: The desktop of the machine has been compromised to report threatening messages

Or, a simple message box is displayed:

Figure 5: Misleading applications also use system-like message boxes

Any interaction with these warnings will set off a trigger and some application will be downloaded and installed. The purpose of these applications is to scare the user through convincing messages that his or her machine is in great danger in terms of security, or that the PC has a multitude of errors that are forcing the PC to run slower, etc. These applications are good looking, with lots of "eye candy," flashing icons, nice animations, lots of colors - they do everything they can to appear professional. The life cycle of such applications is almost always the same: they are installed and they automatically start running a "scan."

Figure 6: Once installed, the misleading application performs a scan automatically

Then, they report their findings: lots and lots of critical risks, there may be spyware present, malware, errors, and/or privacy violations. In reality, many of the reported items do not even exist, are not critical, nor are they dangerous at all, but the important thing here is to look scary!

Figure 7: This misleading application reports an overhelming number of “privacy violations”

Panic is the best friend of misleading apps. When a user sees these reports, his or her first thoughts are "my credit card could be stolen!", or "my son's favorite game will be deleted", or "my wife's favorite fashion Web links will be redirected to who knows what horrible Web site!" and so on. Looks like the user is doomed, unless he or she can only fix these risks. Well, there is almost always a big button that will do this! Oh, wait. Surprise!

Figure 8: The usual “pay for fix” message window

If the user wants to save his or her computing life, all that needs to be done is purchase the application. For only a few dollars! It's cheaper than many commercial products, it’s worth the security of the PC! Someone may still be doubting about the application: What is it? Where does it come from? That's why, in order to persuade even the most paranoid users, these days misleading applications look very much like system applications and use names resembling real system components or security applications:

Figure 9: A misleading application with a Windows Vista look

Still: "I don't know, I will ask a friend of mine who is an expert with computers." Well, if you are able to cancel the fix / purchase process, you will still have one last warning:

Figure 10: Trying to halt the application installation will force the pop-up of threatening warnings again and again

Worse still, some applications feature an encore. Even if a user does not want to buy the application, it will keep running, restarting itself when closed, popping up in the middle of user activities with nasty warnings, and so on. In conclusion, this is a case of finding the devil where you might not expect - beware!

Posted by Andrea Lelli on October 26, 2007 05:00 AM

Source: Symantec Security Response Weblog: We pwn your Desktop!