Trojan Pretends to Be Microsoft Security Suite
Quick quiz: Does Microsoft charge users for its Security Essentials software? How do you tell whether software is from Microsoft or from hackers trying to hold your PC for ransom?
Microsoft is warning users that a Trojan is masquerading as the company's popular free Microsoft Security Essentials (MSE) package.
The alert came from Microsoft's (NASDAQ: MSFT) Malware Protection Center (MMPC) on Wednesday.
"One of the oldest tricks used by rogue antivirus products is to use a similar name as, or have a similar look and feel to, legitimate security software," Microsoft said in a post on the MMPC's Threat Research & Response Blog. "So it was inevitable that the day would arrive when a rogue would masquerade as something similar to Microsoft Security Essentials."
The masquerading rogue security tool goes by the name Security Essentials 2010, which is very similar to the actual name of Microsoft's suite, though the real suite does not have a date in its name.
Users who encounter the fake will see a bogus malware detection scanner that reports many files on a PC are infected with various types of malware, including Trojans and adware, replete with what looks like a legit "system warning."
Users infected with the Trojan, known as Win32/Fakeinit, will be presented with a screen informing them that the software is just a "trial version" and that "removal and real-time protection features are disabled."
The solution, the fake software informs users, is to "activate [the] full version."
That's not a good idea, however.
"Fakeinit's downloader not only installs the fake scanner component -- it also monitors other running processes and attempts to terminate the ones it doesn't like, claiming that they are infected," Microsoft's blog entry cautions.
The bogus anti-malware product also makes changes to the user's registry to lower security settings, and to prevent users from deleting the "Your System Is Infected" background that it displays in order to raise the user's anxiety level.
According to the blog post, Fakeinit also downloads a second Trojan that installs the Alureon rootkit -- another piece of malware that Microsoft warned a week ago was the source of many Windows XP machines exhibiting blue screens and constant reboots.
Additionally, the malware cuts off access to a list of URLs popular with users, including Ask.com, Amazon.com, Craigslist.com and many others, according to Microsoft.
Aside from some minor grammatical errors in the text -- a common tipoff that a piece of software is actually malware -- what gives away the real purpose of the bogus software are the statements identifying it as a "trial version" and requests to activate the full product.
The actual Microsoft Security Essentials suite is available without charge from Microsoft.com.
MSE began shipping last September as a free replacement for Microsoft's ill-fated Live OneCare package, which the company had charged for, but discontinued last year after lackluster sales.
Follow eSecurityPlanet on Twitter @eSecurityP.