Thread: FakeSpyPro trojan alert

Hey folks,

I picked up a nuisance trojan called "FakeSpyPro" last week while visiting the Crappie.com forums. Crappie.com is not directly responsible. I've seen similar attacks while visiting other web sites and forums. The culprit in this case is GoogleAds (which Crappie.com uses), and can be hacked to execute attacks. The only way to prevent such threats is to block GoogleAds in your browser. I will explain how to block nuisance ad-servers later. First, I want to share how I stopped the attack.

I was able to trap the trojan before it could install and hide itself. I use IE7 under 64-bit XP. The sequence of events was as follows...

1. I searched for all forum posts from a member who lives near me. No other browser windows were open. After reading about 3 posts by this member, a fake virus scan appeared. This was not a browser script or a misleading graphic on the web page, but a separate application running outside my browser. The program displayed an animated "scanning for security threats" warning then closed itself before I could react.

2. A new icon immediately appeared in the System Tray in the lower-right corner. It displayed a pop-up balloon for a fake security alert, then also closed itself before I could react.

3. I immediately shut down IE7 externally via Task Manager to prevent more scripts from executing. While TM was open, I verified that no unexpected background processes were active.

4. I manually shut down my network connections via Control Panel to prevent external access.

5. My "Startup" menu was clean, but I found a new EXE listed in the "Run" System Registry key. A randomly-named EXE file was located in a randomly-named "Windows\Temp" folder. This unknown EXE would have infected my computer the next time Windows started. Of course, I removed the unauthorized entry from the "Run" registry. I also moved the EXE file to a folder so I could diagnose it later.

6. Once I was sure the threat was contained, I manually enabled my network connections and ran IE7. I then discovered a malicious act the script had committed: network settings were modified and IE7 wouldn't connect. I dove into the "Tools > Internet Options > Connections > Lan settings" menu command. The "Automatic configuration" option was disabled and "Use Proxy Server" was enabled. I corrected the settings and IE7 worked again. No doubt this is a security hole in IE7 corrected by later versions.

7. I scanned my computer with AVG and found no threats. I then uploaded the trojan EXE to Jotti for analysis. This free service runs a dozen or so virus scanners on any file you upload. Interestingly, no virus was reported for the file by any of these scanners.

8. I scanned my computer using Windows Defender, a free tool provided by Microsoft. This tool detected and cleaned the trojan file both in my saved folder and a recent system restore file. Defender also exposed the trojan's FakeSpyPro nickname so I could research the threat.


How to block Ad-Servers

Blocking annoying ad-servers like GoogleAds and YahooAds gives greater browser security. Ad-Servers use java/php scripts to display animated/interactive ads in your browser. They also use cookies to track your browsing habits and tailor ads to your interests.

But my strongest motivation to block ads is less dire: web pages load much faster when all the ad-servers are blocked. With the expection of a few banner and button images, a text forum site has almost no graphics. When ad-servers are blocked, almost no new images are downloaded when you open a thread. Unless the thread is full of photo attachments, the page loads almost instantly because no ads are displayed.

The blocking process varies for each browser and Operating System. I'll list the steps for XP and IE7 since that's what I use, but the process is similar for all browsers and OS.

1. Open the "Tools > Internet Options > Security" menu command. You can also run Control Panel's "Internet Options" icon without using a browser.

2. Click the "Restricted sites" icon in the security zone list.

3. Click the "Sites" button.

4. Enter each ad-server address in the edit box and click the "Add" button (one at a time). This is a rather tedious process, but it's not too bad if you copy and paste each URL from a text file.

Do NOT click the links below!!! Spaces were deliberately added to the URLs to prevent the forum software from creating hot-links. Remove the spaces while adding the URLs into your Restricted Site list.

With that warning out of the way, here is the list of ad-servers related to GoogleAds that I now block...

http: // googleads. g. doubleclick. net
http: // pagead2. googlesyndication. com
http: // ad.d oubleclick. net
http: // www. doubleclick. com

Here are assorted ad-servers I also block...

http: // pixel. quantserv. com
http: // av. rds. yahoo. com
http: // ad. yieldmanager. com
http: // ad. yieldmanager. net
http: // www . adtechus. com
http: // adserver. adtechus. com
http: // www .adtraff. com
http: // www .advertising. com
http: // www .atdmt. com
http: // www .blessedads. com
http: // www .newbieadguide. com
http: // www .prevedmarketing. com

Also blocking web sites which originate trojans and phishing scams is a no-brainer...

http: // www. fixthemnow. com
http: // bsa. safetydownload. com
http: // scanner2. malware-scan. com

So where did I get this list of ad-servers and scammers? I've simply accumulated these URLs over the years while web surfing. When I encounter a site with offensive or annoying ads, I right-click the ad and select the "Properties" menu item to get the URL. I also observe the "now loading" display in the lower-left corner of my browser while the page loads. I'll grab a screen capture if the URL is difficult to read or too long to remember. Finally, I may peek at the raw HTML source for clues.

No doubt some of the locations I've listed above are no longer valid. Ad-servers and scammers constantly change their locations for obvious reasons. Passive blocking at the browser level is a never-ending battle, but it works.

Hope this helps,

Brian

HsvToolFool is the trojan FakeSpyPro mainly aimed at IE and is Firefox as susceptible to this? I've been using Firefox for sometime and I haven't noticed any problems and all my scans are coming up negative.

Thanks