Microsoft Warns Of Rogue MSE Program

antivirus

"We've seen a few rogue security programs use elements of legitimate security software in order to try to make themselves appear more authentic. It was inevitable that Microsoft Security Essentials would be the target of this kind of mimicry," said Microsoft's Hamish O'Dea in a blog post Tuesday.

Fake AVs are malware offering a malicious virus scan on victims' PCs and then falsely claiming that their machine is infected with malware. The program will then offer to rid the users' computer of malware for a price, capturing a user's credit card numbers in return for a bogus or ineffective download.

O'Dea said that in the past, other rogue software has typically taken advantage of the brand awareness associated with MSE's name. However, this latest malware actually imitates elements of the MSE user interface.

The rogue AV, dubbed FakePAV, will display a fake Security Essentials alert dialog box when users attempt to run certain applications. In an attempt to lend itself credibility, FakePAV will then terminate programs that it views as a threat, including Internet Explorer and other Web browsers.

"This kind of technique has become extremely popular with rogues and serves the dual purpose of making the claims of infection more convincing and making the machine harder to use without registering the rogue," O'Dea said.

However, the program then notifies the user that it can't clean the alleged viruses and prompts the user to do an "online scan," offering the user a choice between one of five phony but legitimate sounding scanners, which include Red Cross Antivirus, Peak Protection 2010, Pest Detector 4.1, Major Defense Kit and AntiSpy Safeguard.

However, other versions of FakePAV don't provide users a choice, but instead inform them that they need to install the AV software called "ThinkPoint," which allegedly requires a reboot. The rogue program then replaces explorer.exe as the default shell and eventually pretends to run its own fake scan.

The rogue software then proceeds to bog down the users' computer, while stopping explorer.exe from running and terminating task manager, eliminating any way for the user to run other programs.

The fake MSE program was first detected in August, but has since gained traction from distribution through malicious ads, SEO poisoning, viruses and other malware.

"At this stage the rogue method for making money is pretty well established," O'Dea said. "Imitating Microsoft Security Essentials is an example of the kind of slow evolution we are seeing as rogue makers try to convince more people to pay in the hope that it will make their computer behave normally again."