14 DAY TRIAL // Security researchers from computer software giant CA, formerly known as Computer Associates, warn of a new rogue antivirus application, which masquerades as Microsoft's Malicious Software Removal Tool (MSRT). In addition, the rogueware makes use of various deceptive techniques to persuade users into acquiring useless licenses.
Fake security applications are a common pest for today's computer users and an important source of illegal income for cybercriminal gangs. Also referred to as rogueware or scareware, from an antivirus perspective all of these programs fall in the Win32/FakeAV family of malware.
Mary Grace Gabriel, a research engineer with CA's Internet Security Business Unit, notes that one such program recently detected in the wild features MSRT-like alerts and even a graphical user interface. "Microsoft Malicious Software Removal Tool Installed. Click this message to start scanning process or it will start automatically in 10 seconds," an initial fake message reads.
After the alleged system scan is finished, some fictitious infections are displayed in a fake MSRT window. Clicking the "Finish" button will prompt another window called "OEM Purchase Center," which offers "unlimited lifetime licenses" at discount prices for products such as Norton Systemworks 2009, Norton 360, Norton Internet Security 2009 or McAfee Total Protection 2009.
Making a purchase will obviously not result in owning a legit license for any of those products. "However, when the user clicks the Cancel button, it will display another fake alert on system tray," Ms. Gabriel explains.
The Windows Security Center is also targeted. First, a fake warning will inform users that no antivirus software has been detected on the computer. Clicking on it will open a legit-looking Security Center GUI with the "Virus Protection" section highlighted. Pressing the "Recommended" button here will open a rogue website that offers to sell more fake products.
It also affects the legit Microsoft Word, displaying a bogus alert about an available Office update when it is opened. If the dialog window is accepted, a page on the same rogue website will be opened. This page offers to sell licenses at discount prices for software such as Office Enterprise 2007, Office Ultimate 2007, Adobe Acrobat 9 Pro, or Adobe Photoshop CS4 Extended.
The rogueware doesn't stop here and also hijacks several legits applications and processes. Attempting to run BearShare, Frostwire, Limewire, Phex, or Shareza, all p2p file-sharing clients, will result in an alert claiming that they might be damaging to the computer and will be deleted.
"CA ISBU Research Lab receives a large number of malicious samples on a daily basis, many of which are found to be Rogue Antivirus applications belonging to the extremely prevalent malware family, Win32/FakeAV," Mary Grace Gabriel warns. Users are advised to have a legit antivirus solution installed and keep it updated.
