One of the most sophisticated viruses ever has hit Facebook – called Trojan.FakeAV.LVT it uses multiple social engineering techniques to spread. It hijacks a victim’s Facebook session and sends credible messages to their friends (via the chat function) leading them to a fake YouTube video page – supposedly containing a video of the victim.
The page is convincing because it contains their friends’ names in the title and even includes fake comments from their own Facebook friends. The fake YouTube page informs the user that they need to download/install an update to Flash Player to see the video (a common virus scam) and the ‘update’ installs the Trojan onto their computer.
Once installed, the Trojan blocks notifications from the Firewall, Windows update and the user’s own legitimate antivirus software. So far, a clever and well engineered approach to spreading infection but not that unusual. The next part is where it gets awfully scary…
The Trojan displays a pop-up message warning you of virus infection and asks you to confirm restart of your computer. Crucially, this pop-up warning is an exact copy of a real virus alert you would receive from your own legitimate antivirus program.
The Trojan detects which antivirus program you have on your computer and picks out the correct warning message from its own database of 20+ most popular antivirus programs (covering the vast majority of users). So what you see is a warning from ‘your’ antivirus software – identical to what you may have seen before if you have ever encountered a virus.
After you choose to restart, the Trojan schedules your own antivirus program for uninstallation, reboots the computer into Safe Mode (but with a black screen only) and quickly uninstalls your antivirus program behind the scenes. Less than a minute later it restarts the computer normally.
When the computer restarts (now with several running viruses) the Trojan puts a fake antivirus icon in your system tray (bottom right of screen) – again, this icon is an exact copy of the genuine article, even to the extent of simulating the virus definitions/update release date if you hover the mouse over it. Most people would be fooled into thinking that everything is ok and their own antivirus program is still protecting them – but their computer is now totally compromised…
You no longer have any antivirus protection and your computer has been taken over by malware including the following:
Trojan downloader – to download more viruses
Modified Hosts file – to block certain websites and redirect others
Dynamic list of other infected computers – to let them distribute more malware to each other
Rootkit – a type of virus file that can hide itself from Windows and future antivirus scanning
This collection of malware would allow your computer to be freely used by the virus creators and other cyber-criminals for things like sending out spam, hijacking email, logging/stealing passwords and logon details etc. It even throws in a peer to peer network of infected computers that can be used to distribute further malware to each other.
The only clue that everything is not kosher and your antivirus program is not really running is that if you try to actually open your antivirus program you will see a non-standard message telling you it is in ‘Enhanced Protection Mode’ as a temporary measure…
Could This Type Of Virus Become Unstoppable?
At the moment it is really clever but there are a few weaknesses:
- If you try to open your supposed antivirus program you get the ‘Enhanced Protection Mode’ message instead of the real program – this gives the game away. However, we suspect the next step for the virus creators will be to create a fake full copy of each popular antivirus program so that, when opened, it looks the same as the genuine one – possibly to the extent of being able to download ‘updates’ (from the virus creators) and ‘scan’ your computer (just a pretend scan of course).
- The reboot into Safe Mode with only a black screen is less of a giveaway (only tech aware people would realize it was not part of a standard virus removal) but could also be improved. If the Trojan just deleted the important files/services of your genuine antivirus program in normal Windows mode it would not have to boot to Safe Mode at all.
- Currently the Trojan spreads via Facebook which limits its spread – but not by much as Facebook has over half a billion users… It would spread even more quickly if it was published by other typical malware vehicles like Torrents, file sharing sites, infected websites, email attachments etc – this is surely the next step.
If the above weaknesses were resolved then malware like Trojan.FakeAV.LVT could become devastating – and you can guarantee that other virus writers are even now copying its ‘best’ features. Invisibly replacing genuine antivirus software with full fake copies that look real would be the coup de grace – leaving computers not just badly infected but (even worse) appearing to still look secure.
If the user remains blissfully unaware they have been massively infected they will continue to use their computer as normal for online banking and shopping etc – the potential for ongoing security breaches and data or financial loss could be much greater than anything we have seen before.
Hopefully antivirus companies are working on a defense to this type of threat as we think it might not be long before the current weaknesses are fixed, copied by others and moved outside of Facebook to the wider internet – then we might really have problems.
In the meantime, you should ensure that you have a top antivirus program (see our recent guide on the best antivirus software) and also check out our guide on avoiding virus infections in the first place.
[A highly detailed technical investigation of this Trojan is on Xylibox here]