There are downsides to market success, and in the case of Microsoft Security Essentials is that attackers build malware designed to piggy-back ride the free security solution from Microsoft.
Of course, this phenomenon is not limited to MSE, as it affects additional security products which have been in one way or another copied by rogue antivirus.
Offered to unsuspecting users are Win7 AV, Rogue:MSIL/Zeven is a fake antivirus which imitates a number of legitimate security mitigations as well as the Microsoft Security Essentials website, and various graphics elements from Windows.
Attackers “start by auto-detecting what browser the user is currently using, and then faking the malware warning page if the browser is Internet Explorer, Chrome, or Firefox,” revealed Daniel Radu, MMPC Dublin.
“This is meant to be a social engineering scheme in order to trick the user into downloading and installing the rogue, relying on the user’s trust of his day-to-day browser."
“The similarity between the fake warning pages is so accurate that it can trick even highly trained eyes,” Radu added.
As users can see from the screenshots included with this article, compromised websites are designed to imitate the various malware detection warnings that modern browsers feature.
However, this is nothing more than a cheap imitation of the actual security features, and ultimately just a social engineering trick.
The fake alert pages come with the recommendation of a security solution, which is none other than Win7 AV.
But Win7 AV is completely useless, and malware rather than a security solution, being detected by Microsoft as Rogue:MSIL/Zeven, a fake antivirus.
“When installed, the product looks very genuine: it allows you to scan files, tells you when you’re behind on doing your updates, and enables you to tweak your security and privacy settings,” Radu added.
“These features are usually available in various legitimate antivirus solutions. However, the features don’t work; everything is there just to look nice, not to offer any kind of protection (just like in all other rogue antivirus programs).”
Win7 AV will falsely claim that computers it has been installed on are infected with various malicious code, which in fact does not exist.
Furthermore, the fake antivirus offers victims the option to clean their computer, but only if they first pay for a license.
Users should not install Win7 AV, but if they did, they should not, under any circumstances, pay for a license. They should grab a legitimate antivirus and clean their PCs.
“If you decide to buy the product, this rogue opens an HTML window enabled with ‘Safe Browsing Mode’ and high strength encryption to “help” and ”protect” you while completing your purchase. Of course these features are totally worthless and don’t actually do anything in the way of securing your credit card details,” Radu said.
“The main page of the rogue antivirus program itself looks awfully close to the Microsoft Security Essentials webpage – more copying from the bad guys.”
Of course, there is absolutely no connection between Win7 AV and Microsoft Security Essentials, in the sense that MSE is an actual security solution, and that it is available for download completely free of charge for users of genuine Windows.
Microsoft Security Essentials is available for download here.