By Tyler Moffitt
Recently we have seen an increase in fake installer scams attempting to trick computer users into installing disguised rootkits directly on their machines. In this post, we want to highlight how a scam like this can be installed and infect a machine, including behavior to watch out for as well as how to remedy the situation if it were to arise.
In the case of this infection, we are utilizing a bogus Adobe Flash Player installer. Normally, this file would be downloaded from a website after a message stating “You need the latest version of Flash to view this video” appears. The file being downloaded would have a random name, such as ‘flashplayerinstallerxxxx.exe’.
For educational purposes, we will show how this file reacts with a system without Webroot installed.
After execution, the file launches as a bogus Adobe flash player installer. During this process, it deletes the source executable that was initially dropped.
After the fake Adobe Flash update finishes loading, it will display a message (see screenshot below). Note that it doesn’t matter what version of Adobe flash player you have; even if you have no flash player installed, it will still report this message.
After about 10 minutes, the program will download components and get everything into place for infection. Then a new svchost.exe protected process will launch and start taking huge amounts of the CPU. This process cannot be killed.
With the infection installed, all redirects are from Google search engine results. For this demonstration, we used Firefox and Internet Explorer, typed in “books”, and only clicked on the first 2 links (Amazon and NYTimes).
Since this is a rootkit, there are no toolbars/extensions/BHO’s added to the browser. There are also no modified proxy settings or modified hosts files. What is interesting about this rootkit sample is that the redirects do not happen every time. The action will occur about once every three attempts, where the user will get redirected to a series of sites that are shown below.
The number of redirects caps out around 4-5 and then everything will seem normal until a restart of the browser. This erratic action can make it extremely difficult to troubleshoot. It can also prove to be very frustrating for a user to explain as it is not consistent and once the redirection occurs enough times, the issue stops for the rest of the browsing session. We have seen instances where consumers have just been “living with it” for months.
Here are the loops of redirect sites:
This is not an issue that any user should have to live with, however. After the infected code was running, we did a fresh install of Webroot SecureAnywhere onto the machine, which immediately detected and removed the infection. Below are screenshots of Webroot’s alert and threat removal in progress. Utilizing Webroot’s technology, a user is protected from malicious actions such as this, decreasing stress and improving the overall web experience.
As always, with these types of scams being so easy for the user to miss, there are a number of things users need to remember.
- Only install updates of software directly from the manufacturer’s website or from the software itself
- Check the URL of the websites you are visiting to ensure they match where you want to be
- Do not give out personal information (such as credit card information) through websites you do not know
- If in doubt, shut down your PC and contact Webroot
Webroot SecureAnywhere automatically blocks the installation of this infection. If the PC has no AV software installed, booting into Safe Mode with networking and installing Webroot SecureAnywhere will remove the threat. Manually removing this threat is possible; however, there may be some system damage that will need to be repaired.
Webroot support is always available to help with removal and questions regarding this infection. Please visit the Webroot support web site for more detail at: http://www.webroot.com/support/.