New Tactic By Fake MSE Alert

Discussion in 'malware problems & news' started by Franklin, Oct 18, 2010.

Thread Status:
Not open for further replies.
  1. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Picked up an installer for the fake Microsoft Security Essentials alert and gave it a run.

    Instead of bringing up a fake scan dialogue where you can choose to download five different rogues this one asks for a reboot to delete the fake detection and install "ThinkPoint" security.

    On reboot all you have is ThinkPoint's gui sitting on desktop with no desktop icons or Taskbar.

    All it allows you to do is pay for the app or do a scan.

    The rogue's gui is still there locking up the desktop in users safe mode.

    The way to get rid of it is to either boot into admin safe mode or boot from a live cd then find and delete hotfix.exe from C:\Documents and Settings\"USERNAME"\Application Data.

    Naturally the best thing is to stop this rogue from getting installed in the first place but I'm sure it will get installed by some.

    1.JPG

    2.JPG

    3.JPG

    4.JPG

    5.JPG
     
  2. SUPERIOR

    SUPERIOR Registered Member

    Joined:
    Dec 10, 2007
    Posts:
    161
    Location:
    Syria
    thanks for the info franklin.... so it's like ransomware ..but i guess the former way was more convincing
    is it allowed to ask u for the sample !!
     
  3. Boyfriend

    Boyfriend Registered Member

    Joined:
    Jun 7, 2010
    Posts:
    1,070
    Location:
    Pakistan
    Thanks Franklin for reporting new fake MSE alert. Please check your PM.
     
  4. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    1,954
    Location:
    DC Metro Area
    There appears to be a new variant of the MSE fake:

    "The "alert" from the threat steals the Microsoft Security Essentials brand, including the little blue fortified castle icon. The software then displays a seemingly comprehensive list of antimalware solutions--including all of the top names that users are familiar with such as Trend Micro, McAfee, Panda, and Symantec-- and identifies those that are capable of detecting and blocking this nefarious threat.

    The F-Secure blog explains, "Surprisingly, the only products that seem to be capable of handling the infection are AntiSpySafeguard, Major Defense Kit, Peak Protection, Pest Detector and Red Cross. Never heard of these? No wonder. They are all fake products."

    http://www.pcworld.com/businesscenter/article/208592/beware_fake_microsoft_security_essentials.html
     
  5. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
  6. wongawallen

    wongawallen Registered Member

    Joined:
    May 25, 2008
    Posts:
    11
    Can anybody tell me why these things don't get detected & stopped by your antivirus program, e.g. Nod32
     
  7. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    When a new rogue installer is released out in the wild the authors of all these rogue apps make sure it bypasses most AV's at release so as to infect as many as possible.

    Then they are added to defs as samples are aquired by the good guys.

    Below are some of my samples for the fake MSE alerts and there are probably many more variants out there.

    MSE.JPG
     
  8. wongawallen

    wongawallen Registered Member

    Joined:
    May 25, 2008
    Posts:
    11
    thanks Franklin, I guess I'm being pretty naive then, expecting an antivirus to catch this stuff.
     
  9. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    These scams are becoming more varied. This posted the other day:

    AV scam: is it a rogue or is it AVG’s free edition for sale?
    http://sunbeltblog.blogspot.com/2010/11/av-scam-is-it-rogue-or-is-it-avgs-free.html
    Brian Krebs puts it well:
    ----
    rich
     
Loading...
Thread Status:
Not open for further replies.