Windows 7 If it calls itself “Security Essentials 2010”, then it’s possibly fake, innit?

Discussion in 'Windows Security' started by kemical, Mar 1, 2010.

  1. kemical

    kemical Windows Forum Admin
    Staff Member Premium Supporter Microsoft MVP

    Joined:
    Aug 28, 2007
    Messages:
    31,838
    Likes Received:
    1,568
    Wednesday, February 24, 2010 9:44 PM by mmpc
    If it calls itself “Security Essentials 2010”, then it’s possibly fake, innit?


    Well, it had to happen eventually. One of the oldest tricks used by rogue antivirus products is to use a similar name as, or have a similar look and feel to, legitimate security software. It’s been commonplace for them to mimic the Windows Security Center. So it was inevitable that the day would arrive when a rogue would masquerade as something similar to Microsoft Security Essentials. If anything, it surprises me a little that it’s taken so long.
    This one calls itself “Security Essentials 2010” and looks something like this:
    [​IMG]
    For the record, this is how the real Microsoft Security Essentials appears when it has detected a threat (in this case, Win32/Fakeinit):
    [​IMG]

    As we in the MMPC have always been quick to point out, Microsoft Security Essentials can be downloaded and used without charge by users running genuine Windows (from here: http://www.microsoft.com/security_essentials/). So anything mimicking Microsoft Security Essentials but asking for any sort of payment is clearly Up To No Good.
    [​IMG]
    We detect this imposter as Trojan:Win32/Fakeinit.
    Fakeinit’s downloader not only installs the fake scanner component – it also monitors other running processes and attempts to terminate the ones it doesn’t like, claiming that they are infected:
    [​IMG]

    You can see a list of some of the terminated processes in the TrojanDownloader:Win32/Fakeinit description.
    Aside from this, it lowers a number of security settings in the registry, and changes the desktop background to display the following rather alarming message:
    [​IMG]
    It also modifies the registry in an attempt to prevent this background from being changed again.
    Furthermore, it also downloads and installs a Win32/Alureon component, and another Layered Service Provider (LSP) component, also detected as Trojan:Win32/Fakeinit. This LSP monitors the TCP traffic sent by various Web browsers that the user might have installed, and blocks any traffic to certain domains, instead displaying the following:
    [​IMG]
    You can find a list of some of the blocked domains in the Trojan:Win32/Fakeinit description.
    - David Wood

    Microsoft Malware Protection Center : If it calls itself

    I've seen this myself and it's quite a nasty one so be careful you guys....
     
  2. Celestra

    Celestra Former Moderator

    Joined:
    Jan 15, 2008
    Messages:
    2,468
    Likes Received:
    14
    Very Frightening.....
     
  3. Mitchell_A

    Mitchell_A Excellent Member

    Joined:
    Feb 7, 2009
    Messages:
    5,068
    Likes Received:
    240
  4. Mike

    Mike Windows Forum Admin
    Staff Member Premium Supporter

    Joined:
    Jul 22, 2005
    Messages:
    8,488
    Likes Received:
    783
    The introduction of false anti-virus applications is a major problem, most prominently in Windows XP. I have seen this issue time and time again on compromised systems. The result of the compromise is usually lax security on the network level - open ports on the router which could easily be identified using penetration testing, as well as incorrect Windows Firewall settings. The inability for organizations to keep up with the latest security updates for Windows will also create this result, as well as irresponsible browsing. There is a chance the system can still be salvaged after this problem occurs, but its security must now be considered suspect permanently, unfortunately. By using anti-malware, *good* anti-virus programs (NOD32, Kaspersky), as well as trojan removers, you can rid of the situation, usually in safe mode. However, I have seen some systems with hundreds of trojans and malware. In this case, a clean install becomes the only viable option if the organization is serious about information and network security
     
  5. Joe S

    Joe S Excellent Member

    Joined:
    Jan 12, 2009
    Messages:
    3,785
    Likes Received:
    113
    In case you can't get it cleaned up or repaired it's a good idea to keep a current image of your OS handy. I also have the HD partitioned with OS on one and Data on other. I use Acronis True Image 2010 and made the bootable disk.
    Joe
     
  6. Joe S

    Joe S Excellent Member

    Joined:
    Jan 12, 2009
    Messages:
    3,785
    Likes Received:
    113
    Are these slipping onto the system using Adobe Flash by chance? MY nephew is learning disabled and only reads at a third grade level. He is not retarded. I've noticed lately that Avast seems to go off a lot in his search for videos. Most of his searches look like legit sites like looking for Utube videos.
    On the other hand I know adult sites can switch you almost anyplace when you click, a fake looking video player comes up or a screen that says something about a security scan. Both of these seem to be triggers to install the malware. If I get anything strange I bring up the task manager and close the window. I know some of the popups are rigged so even if you select no it installs anyway.
    Adobe isn't well regarded for security in their products either. It's pretty difficult to avoid Flash. I only use the Adobe Reader when absolutely required. I know in the past both have been major holes in security.
    Joe
     

Share This Page

Loading...