Security Essentials Has An Evil Malware Clone

Reported by the Microsoft Malware Protection Center on Sept 1st, a new malware attack is out that not only tries to foist a fake clone of Microsoft Security Essentials on victims but it also customizes fakes browser warnings.

The attack looks strikingly similar to the real deal and it can be tricky to tell the difference even with an experienced eye. It starts out with a slick social engineering move by detecting what browser is in use and putting up the appropriate warning page. Right now it has warnings for IE, Firefox, and Chrome. The faked warning page looks almost exactly the same as the real warning page. The difference is that the fakes have some misspellings and also urge the user to get new virus protection via an update or upgrade.

When the user clicks the upgrade link they are sent to the homepage to download the malware Rogue:MSIL/Zeven. The homepage is itself another clone, it closely resembles the real Microsoft Security Essentials homepage. It even has a link to the real Microsoft Malware Protection Center.

When installed the malware looks like a convincing real anti-virus named Win7 AV with all the features including scans, updates and alerts for out-of-date definitions, and settings but none of it work. It will do the usual “scan” and then claim to have found a bunch of awful malware that it can’t remove without paying some money to upgrade to the full version. If the user decides to buy the full version it pops a window that claims to have strong encryption in “Safe Browsing Mode” that will actually do nothing to secure credit card data.

Even though this is such a cunning attack, it is possible to avoid it by remembering a few details. First, real browser warnings won’t have a link or message trying to get the user to download anything, they will also have no misspellings. Second, Microsoft Security Essentials is a totally free software so they wouldn’t ask for money anywhere on the program or website. Careful browsing will avoid traps like this and others.

Be sure to visit the original article linked above for the great screenshots!

Comments (2)

  • Greg says:

    If these evil posers have a homepage, shouldn’t it be possible to track them down and then close them or block their server or ISP? I guess I just don’t understand all the evil ways to hide on the web. Mean people suck.

  • Robert says:

    Wow as I was installing Security Essentials on a customers PC the other day, and I was thinking about if this would be possible and if it was already out. like Greg said “Mean People Suck”