Threat Research & Response Blog
A new rogue has started making its appearance from compromised websites: Rogue:MSIL/Zeven. We received a sample (70be8ca73142922fd78acf2aafa9f141a977f15a) and a URL and began our investigation.
Let us say from the beginning that the guys behind this rogue like to copy big-time. They start by auto-detecting what browser the user is currently using, and then faking the malware warning page if the browser is Internet Explorer, Chrome, or Firefox. This is meant to be a social engineering scheme in order to trick the user into downloading and installing the rogue, relying on the user’s trust of his day-to-day browser.
The similarity between the fake warning pages is so accurate that it can trick even highly trained eyes.
In the Firefox page, for example, you can see it’s not the real warning page because they misspelled ‘out’ and wrote ‘Get me our of here’.
But for all three browsers, a common indication that you are not looking at the actual browser warning is the offer of some sort of an “update” or “solution”. All the “updates” point to a copy of MSIL/Zeven that promises to provide “a new approach to windows detection”. Internet Explorer, Firefox, and Chrome do not offer such a solution when a website is blocked.
When installed, the product looks very genuine: it allows you to scan files, tells you when you’re behind on doing your updates, and enables you to tweak your security and privacy settings. These features are usually available in various legitimate antivirus solutions. However, the features don’t work; everything is there just to look nice, not to offer any kind of protection (just like in all other rogue antivirus programs).
Of course once it scans your computer it’s bound to claim it found something scary (malicious), as shown below:
As usual with rogue scanners, although it “found” malicious files, it claims it cannot delete them unless you update. That implies that you need to pay for the full version, which has the ability to download updates. However, these files are totally bogus; no such files exist in the user’s computer.
If you decide to buy the product, this rogue opens an HTML window enabled with ‘Safe Browsing Mode’ and high strength encryption to “help” and ”protect” you while completing your purchase. Of course these features are totally worthless and don’t actually do anything in the way of securing your credit card details.
The main page of the rogue antivirus program itself looks awfully close to the Microsoft Security Essentials webpage – more copying from the bad guys. The people behind it have even copied the awards received by Microsoft Security Essentials and link to the Microsoft Malware Protection Center - pretty sneaky of them.
This is a screenshot of the rogue’s main webpage:
And, by way of contrast, this is a screenshot of the genuine Microsoft Security Essentials page:
It seems that these guys want to profit on the good reputation and success of Microsoft Security Essentials in order to make money - but we remind our customers that Microsoft Security Essentials can be downloaded at no cost. And it really does protect your computer from malware!
We detect both the downloader of the rogue and the rogue itself as Rogue:MSIL/Zeven.
Until our next encounter: browse safely!
Daniel RaduMMPC Dublin