The success and penetration of fraudulent security software depends on its ability to scare the user into buying a fake security product. Over the years we have seen that many social engineering techniques have evolved in attempts to achieve this. This is the latest and most convincing of them all.
This technique is employed by a recently found, in-the-wild sample of fake security software that misleads users by claiming to be a legitimate “Microsoft Security Essential.” The real social engineering is not found in the name, but in how it works (step by step) to trick users into buying this unknown security product. When run, the executables of this family show the following dialogue (mentioning Microsoft Security Essentials):
Notice that rather than showing many fake detection results, as is usually the case with rogue antivirus software, it reports just one threat. It will always report the same file (c:\windows\system32\cmd.exe) as “Unknown Win32/Trojan” and will request that the user clicks on “Apply actions.” However, both of the “Apply actions” and “Clean computer” buttons will redirect users to scan the identified threat with online scanners. Then, it shows a fake online scanner window that includes almost all reputable antivirus products, including Symantec, along with five unknown products:
1. AntiSpySafeguard .. World’s leading security solution
2. MajorDefenseKit .. World’s leading security solution
3. PeakProtection2010 .. World’s leading security solution
4. PestDetector4.1 .. World’s leading security solution
5. RedCross Antivirus .. World’s leading security solution
The above five products are clones of a single rogue security product. In the online scan, only these five bogus antivirus products will “detect” the previously identified threat, implying that no other well-known (and legitimate) antivirus product detects the threat. It will also present an option for the user to install one of these products for free:
Once user clicks on a “free install” for any of the fake products listed above, the threat does not download anything from the internet; however, it just copies itself to “%APPDATA%/antispy.exe”. Depending upon the product chosen by the user, the respective product window will be shown, which will be one of five windows shown below:
(The other four interfaces will also show similar results.)
Finally, as with all other rogue antivirus products, SecurityEssentialFraud will ask users to make a payment to remove the threats it has “detected.”
If the user chooses not to pay, a warning will pop up regarding fake detections in an attempt to scare the user into buying the product:
The process by which this fraudulent software walks the user along, step by step, is interesting and really is a convincing act. Looking at this latest technique of portraying the supposed failure of known security products and keeping track of how successful it becomes, we may see the same or some variation of this rogue software being adopted across a few of the other rogueware families.
Note that all Symantec software users are protected from this threat. Symantec detects this threat as SecurityEssentialFraud.