Beware The Fake Windows Security Center
- 0
- Add a Comment
Over at the CA security blog, they have done a great job in bringing another of the fake Windows Security Center screens to our attention. The fake screen is so good, that some users can be fooled into thinking it is real. CA states that the fake screen can place a trojan file on your system and falsely advise the user of fake infections. I took a look at the fake screen and noted some minor differences, which many a user may not notice.
In their warning CA states that:
Another fake Windows Security Center has emerged. Much like versions in the past, on appearance this one is nearly identical to the actual Windows Security Center. And like older versions, it is installed by a trojan and falsely warns the user of non-existent infections (the true infection is the fake Security Center). The infection runs as the process seccenter.exe, which launches the fake security center interface. The malicious file is located at c:\windows\system32\seccenter.exe. A complimentary process runs here: c:\windows\system32\drivers\lssas.exe. The infection alters the registry settings that deal with a variety of critical system settings such as proxy settings: HKCU\Software\Microsoft\windows\CurrentVersion\Internet ProxyEnable Settings\ with the ValueData: “0×0″.
Below is a screenshot of the fake Windows Security Center. I highlighted the key areas in red. Here is what the fake security center looks like:
Now compare that with the legitimate Security Center built into Windows:
The “security center” repeatedly nags the user to download “Windefender 2008” by blocking outgoing Internet connections and opening a security bar like the one below and also by blocking the webpage from loading properly. By limiting the user’s Internet connection to primarily downloading WinDefender 2008 (win-defender(DOT)com/export/shield.php), the user cannot download a legitimate anti-malware product to remove the infection. This is not a new technique – past infections have blocked users from updating their anti-malware products or connecting to legitimate security sites. This infection returns ‘the page cannot be displayed error’ and on that page a link to WinDefender 2008 is also displayed (see what I highlighted in red). Here is what the blocked connection looks like:
What is interesting to note here is that technically, the same trojan that maliciously installed the fake Security Center, could have also installed WinDefender 2008. It is my guess that the malware author thinks users will feel the fake security software is more legitimate if they have to manually download it, instead of it magically showing up on their system and asking for money to activate it — even though hopefully it would raise a red flag for users that all Internet connections are blocked, except to a site wanting money from them (WinDefender 2008). The infection channels the infected users to download WinDefender and hopes the user finds the process legitimate enough to cough up $40.00 to pay for the fake software.
As you can see, the fake screen looks good and may fool the casual user. Pass this on to your family and friends so that they are aware of this potentially dangerous scam.
Comments welcome.