Threat Research & Response Blog
Well, it had to happen eventually. One of the oldest tricks used by rogue antivirus products is to use a similar name as, or have a similar look and feel to, legitimate security software. It’s been commonplace for them to mimic the Windows Security Center. So it was inevitable that the day would arrive when a rogue would masquerade as something similar to Microsoft Security Essentials. If anything, it surprises me a little that it’s taken so long.
This one calls itself “Security Essentials 2010” and looks something like this:
For the record, this is how the real Microsoft Security Essentials appears when it has detected a threat (in this case, Win32/Fakeinit):
As we in the MMPC have always been quick to point out, Microsoft Security Essentials can be downloaded and used without charge by users running genuine Windows (from here: http://www.microsoft.com/security_essentials/). So anything mimicking Microsoft Security Essentials but asking for any sort of payment is clearly Up To No Good.
We detect this imposter as Trojan:Win32/Fakeinit.
Fakeinit’s downloader not only installs the fake scanner component – it also monitors other running processes and attempts to terminate the ones it doesn’t like, claiming that they are infected:
You can see a list of some of the terminated processes in the TrojanDownloader:Win32/Fakeinit description.
Aside from this, it lowers a number of security settings in the registry, and changes the desktop background to display the following rather alarming message:
It also modifies the registry in an attempt to prevent this background from being changed again.
Furthermore, it also downloads and installs a Win32/Alureon component, and another Layered Service Provider (LSP) component, also detected as Trojan:Win32/Fakeinit. This LSP monitors the TCP traffic sent by various Web browsers that the user might have installed, and blocks any traffic to certain domains, instead displaying the following:
You can find a list of some of the blocked domains in the Trojan:Win32/Fakeinit description.
- David Wood