And finally, standard user malware

Today I finally got wind of my first piece of true standard user malware. MS Antispyware 2008 has turned standard user. The version in question installs the binaries in c:\documents and settings\all users\application data\<something>, and makes itself resident by infecting HKCU\...\Run. Curiously, the legitimate anti-malware program (one of the top 3) failed to detect the infector.

Obviously, this version is much easier to remove than the ones that require admin privileges. However, MS Antispyware is not about being hard to remove. It just needs to run until the user pays for the privilege, and more than likely, even as a standard user, many people will fall for it.

On a somewhat unrelated note, just as I was wondering who would fall for these types of scams, I met a real person that did; a not-particularly-well-off disabled retiree who was scammed out of $5000 by an organized crime ring that claims to have won you a lottery, as long as you just pay them for the ticket first. That particular scam was run partially by phone and partially online. And, the scumbags apparently didn't think they had scammed her out of enough money so they kept calling her even after she sent them the money. I advised her to call Rob McKenna's office (Attorney General of Washington State). Mr. McKenna's office stated that they felt horrible for her. Apparently that was about all the comfort they could give. I must say that level of action was not particularly impressive, and does not really live up to Mr. McKenna's campaign promises of cracking down on scammers.

Published Mon, Aug 31 2009 11:21 PM by jesper
Filed under: , ,

Comments

# Larry Seltzer said on 01 September, 2009 06:54 AM

When you think about it, how is anti-malware supposed to detect user malware such as this? If they don't have a signature for it then there's nothing in the behavior of the program that could be determined heuristically to be malicious. All the program does is put on a show.

I'm also told by anti-malware companies that these rogue anti-malware programs are particularly aggressive about their obfuscation techniques.

# Simon said on 03 September, 2009 03:02 PM

Hey Jesper

Sorry to hear about your friend being duped into the scam. I had to fix dozens of computer with that stupid malware but luckily, every user just got frustrated instead of giving in to the demand (could also be because they were broke!). But $5,000? I believe the user themselves also have the responsibility to make sure that everything is legit before giving away that much money.

# Hilton Travis said on 10 September, 2009 04:21 PM

G'day Jesper,

All theswe filth are doing is following Microsoft's lead with Microsoft Live Mesh and Microsoft Vine which don't install into Program Files, but into AppData\Local, therefore not requiring elevated rights.

Now, this is a huge security vulnerability to me - allowing non-Admin users the ability to install applications.  WTF was Microsoft thinking?

Have you tried installing Live Mesh with "Run as Administrator"?  What does the error message "Live Mesh: Product does not support running under an elevated account.  This class is not configured to support Elevated activation.  Error: 80080017".  Now, is that an error message, as a Security professional, that scares the pants off you, or what?

# Eric Eskam said on 03 October, 2009 12:48 PM

I too am surprised it has taken this long for something like this to appear.  If Firefox can install in usermode, why not malware?

BTW - a handy flowchart to help users decide if they really should click to see the dancing naked pigs:

www.intac.net/a-flowchart-to-help-you-decide-when-to-click-past-the-security-warning