Ron Schenone

Beware The Fake Windows Security Center

Posted by on Oct 22, 2008 | 2 Comments

Over at the CA security blog, they have done a great job in bringing another of the fake Windows Security Center screens to our attention. The fake screen is so good, that some users can be fooled into thinking it is real. CA states that the fake screen can place a trojan file on your system and falsely advise the user of fake infections. I took a look at the fake screen and noted some minor differences, which many a user may not notice.

In their warning CA states that:

Another fake Windows Security Center has emerged.  Much like versions in the past, on appearance this one is nearly identical to the actual Windows Security Center.  And like older versions, it is installed by a trojan and falsely warns the user of non-existent infections (the true infection is the fake Security Center).  The infection runs as the process seccenter.exe, which launches the fake security center interface.  The malicious file is located at c:windowssystem32seccenter.exe.  A complimentary process runs here: c:windowssystem32driverslssas.exe.  The infection alters the registry settings that deal with a variety of critical system settings such as proxy settings: HKCUSoftwareMicrosoftwindowsCurrentVersionInternet ProxyEnable Settings with the ValueData: “0×0″.

Below is a screenshot of the fake Windows Security Center.  I highlighted the key areas in red.  Here is what the fake security center looks like:

Now compare that with the legitimate Security Center built into Windows:

The “security center” repeatedly nags the user to download “Windefender 2008” by blocking outgoing Internet connections and opening a security bar like the one below and also by blocking the webpage from loading properly.  By limiting the user’s Internet connection to primarily downloading WinDefender 2008 (win-defender(DOT)com/export/shield.php), the user cannot download a legitimate anti-malware product to remove the infection.  This is not a new technique – past infections have blocked users from updating their anti-malware products or connecting to legitimate security sites.  This infection returns ‘the page cannot be displayed error’ and on that page a link to WinDefender 2008 is also displayed (see what I highlighted in red).  Here is what the blocked connection looks like:

What is interesting to note here is that technically, the same trojan that maliciously installed the fake Security Center, could have also installed WinDefender 2008.  It is my guess that the malware author thinks users will feel the fake security software is more legitimate if they have to manually download it, instead of it magically showing up on their system and asking for money to activate it — even though hopefully it would raise a red flag for users that all Internet connections are blocked, except to a site wanting money from them (WinDefender 2008).  The infection channels the infected users to download WinDefender and hopes the user finds the process legitimate enough to cough up $40.00 to pay for the fake software.

As you can see, the fake screen looks good and may fool the casual user. Pass this on to your family and friends so that they are aware of this potentially dangerous scam.

Comments welcome.

Source

  • http://leonard.libitz.clavid.com/ Leonard Libitz

    Since this blog post is talking about Mac Security. I would like to make a few suggestions.

    #1. Keeping track of all 3rd Party Software installed on Mac OS X is extremely important. I have noticed many users installing applications and simply forgetting them. Some users even believe that Apple’s Software Updates take care of 3rd Party Apps.

    If a user tends to install applications and forget to update. It can cause an issue with security on the system. It has been well documented in recent months that applications such as Firefox, Adobe Flash and Adobe Acrobat have been hit with some serious vulnerabilities. Keeping track of installed 3rd Party Applications is extremely important.

    If an application has been installed and forgotten. It would be best in my opinion to simply uninstall it. I would also suggest using a tool such as CNET’s TechTracker. It is a simple way to keep track of any applications that need to be updated on your system.

    #2. I would also suggest creating two user accounts. One as the Administrator and the other as the Standard User. Do not run as the Admin for day to day use. Use the Standard User Account.

    #3. Make sure applications installed are from a trusted source.

    #4. Only run essential services. If you do not need to use Apple File Sharing or Remote Desktop Connection. Then turn them off.

    #5. When visiting sites such as Facebook and Twitter. Be cautious of what links you click. Just because you are on a Mac. Doesn’t mean you cannot be tricked into clicking a malicious link.

    Example: http://www.youtube.com/watch?v=H4qbLKy32rI via @sophoslabs

    A few good links to learn a bit more about Mac Security I recommend are the following:

    Sophos Mac Security Hub: http://www.sophos.com/security/mac-security-hub.html

    Secure Mac: http://www.securemac.com/

    The Mac Security Blog: http://blog.intego.com/

  • Christopher Orchard

    Nice one, Thanks as I have been looking for a good antivirus for my MacBook Pro, iMac & MacBook Air :)