PAV rogue imitating Microsoft Security Essentials

wow... even all the spelling looks correct.

they definitely took some time to make this!
 
Yeah they're really copying it closely. Years ago they just mimicked other AV products....you had "Antivirus360" or "A360"..which copied Norton360. Stuff like that.

Last year I saw a rogue (quite a few times) that imitated AntiVir.
 
Ugh, I wish I would have seen the article as soon as it was posted. All of our home users that aren't on paid nod32 or kapersky, we switch to MSE. This could potentially be a nightmare.
 
This is the one time I'm glad my department uses shitty McAfee instead of MSE. These fake AV's are our main source of "omg halps I has a virus" and now this one looks extremely legit... Here's to hoping we don't have an outbreak... /crosses fingers
 
Glad I don't have to care for anyone's PC but my own. No effort required -- sure pays off! :D
 
Ugh, I wish I would have seen the article as soon as it was posted. All of our home users that aren't on paid nod32 or kapersky, we switch to MSE. This could potentially be a nightmare.

It shouldn't be...MSE is detecting it. And MSE doesn't ask you to download and pay for other products. What's tricky about this one, is it's designed to trick people who either don't have an AV, or don't have an AV that can detect it...and they have heard of MSE and may think it's legit and fall for it.
 
Had one get past MSE yesterday. I don't know if it's the exact strain or a variant, or if MSE was crippled by another infection first, but it was definitely on a computer with up-to-date definitions. Luckily customer was smart enough to stop when it asked for personal information and called us. Easy to clean, but a little worried it got through. Hoping it was a fluke and something else crippled MSE.
 
The rogue of the week, I haven't caught the name yet, but it's loading as svshost.exe in the users profile\application data\microsoft folder, loads from the registry run, sticks mstsc.exe on the desktop, and sticks a 127 local proxy in internet exploader settings. We're getting a few calls per day on this one. Eset seems to be detecting some of it, but not all/enough yet.
 
Had one of these the other day... MSFT had a link for it that I got from Forefront but they must have changed it.

This is what it was:
Severity: Warning
Status: New
Source: Microsoft Forefront Client Security Threat ID = 2147637771
Name: Malware on Network - Successful Response (Alert Level 3)
Description: Client Security has detected and successfully responded to the following threat:
- Threat name: Rogue:Win32/FakePAV
- Performed action: Remove

To investigate and resolve this incident:
1. Learn more about the threat and its mitigation. Consult the Microsoft Malicious Software Encyclopedia:
http://go.microsoft.com/fwlink/?linkid=37020&name=Rogue:Win32/FakePAV

This specific one came after I removed the virus with Combofix. It was a one-shot one-kill with Combofix - didn't even try MFCS because I've seen something similar before and it involved a rootkit... which was only removable by running Combofix.

 
already have a client w/ legit MSE get this.... it was fun trying to explain what happened over the phone :(

i've had 2 or 3 rogues get paste MSE now, one client in particular wants to go back to McAfee "i don't think this free one you gave me is any good" :rolleyes:

it seems like i've had rogue run right past multiple AVs lately, nod32, avira, mse... getting REALLY irritating
 
it seems like i've had rogue run right past multiple AVs lately, nod32, avira, mse... getting REALLY irritating

Yeah these rogues are making it past every brand out there...I see them slip past AntiVir, Avast, Eset, Kaspersky,

Here's some facts that you can see from AV-Comparatives and NSS Labs....
When benchmarking AV products against current "rogues/fake alerts"...all the brands of AV are averaging in the 50-60% detection rates. None are able to keep up with the rogues.
 
Back
Top