How To Remove: Security Essentials 2010

Security Essentials 2010 (SE2010.exe) is a new rogue application which is usually arrives as a file dropped by a Trojan or downloaded from the internet. It employs the same techniques as of Internet Security 2010…then again, said techniques have proven effective before, so why fix what is not broken?

Without being asked, SE2010 scans the infected computer and displays the list of threats present in the system. Note that the said list is fake and the files do not really exist.

It displays several fake alert messages and warnings to pursuade user into buying the full version of the application.

Aside from the annoying pop-ups and alert messages, it will not allow users to run any applications, legitimate or not. Instead, it displays a message stating that the application is infected and the only solution to execute the affected application is to purchase the product!

It must be clear that SE2010 should be removed from the infected machine as it only imitates legitimate Antispyware program, not to mention the endless annoying pop-ups and messages. Please follow manual removal instructions provided below:

SEO Poisoning scores a goal at the 2010 Winter Olympics

The Hockey games on the 2010 Winter Olympics are well under way and SEO poisoning attacks abound! Hockey enthusiasts turning to the Internet in search of game schedules are in for quite a surprise as cyber-criminals are quick to ensure that their malicious websites appear in the top Google search results.

Redirection

Unsuspecting users who click on the malicious search results are redirected to a fake My Computer online scan page. Here is where the bad guys attempt to 'scare' their way into the user's computers.

Fake My Computer online Scan

Message displaying false detections on the user's computer

Navigating Away

Users attempting to manoeuvre away from the malicious website are presented with the following message and are left with very little choice:

Countermeasure Against the Good Guys
Malware researchers often share URLs with each other as a way of spreading the news and to warn others and prevent further infection. But the bad guys behind this attack are smart enough to devise a countermeasure. The URLs are no longer enough to replicate the attack. Entering the URL directly on the browser simply redirects the users to the CNN website.

CNN Website

Download

The fake My Computer online scan page ultimately offers a solution to in the form of an installer of the fake antivirus software called Security Antivirus.

File Download

The Works

As with other fake security software, Security Antivirus displays a decent graphical user interface to give its victims that warm fuzzy feeling of installing a legitimate software that will protect their computer.

As mentioned in a previous post, Security Antivirus is a clone of Live PC Care, Windows Security Suite, and Windows System Suite.

Installation

Fake Scans

Annoying Pop ups

As unsuspecting users would like to remove all the purported detections found on their machine, Security Antivirus requires activation. And for a lifetime subscription, victims would have to say goodbye to a hefty $89.95 from their hard-earned cash.

Activation

License Selection

Credit Card Payment

Entering credit card details here seals the deal. But there's no stopping the bad guys from abusing the information they have collected.

If you have been a victim of this attack, immediately contact your credit card company to get your money back and to make sure there will be no future unauthorised charges.

Also, when searching for information relating to the Winter Olympics, it always a good idea to turn to reputable sources like news networks and of course the official 2010 Winter Olympics website.

Rogues on Winter Olympics' Playing Field

Another hot topic circulating around the internet is the Winter Olympics and the hits around the search engines come soaring when the news of the death of a 21 year old luger Nodar Kumaritashvili breaks out. Malware writers are quick on taking advantage of this news to infect computer users browsing every website wanting to be updated. They also use as well as the current medal count at the said Olympics.

Moreoever, the (malware) samples that are found in the previous hot events (such as Haiti Earthquake, Twilight and Superbowl) were all the same kind of Rogue AV found now. They are of the same family, same setup and the same characteristics. It seems that they’re doing this fashion in an automated way. They’re trying to link these hot keywords so that search engines would point the users to their malicious websites where the malware is hosted.

OLYMPIC LUGER’S DEATH

Death of a luger in winter Olympics triggered the Rogue AV writers to use this as a vector of their infection most especially when the actual video of his death is released.

Search result for luger’s death. Clicking the search result (in red box) would redirect to RogueAV

Internet users who wanted to be updated with this news will unknowingly visit one of these malicious sites. Redirections will occur until the user will experience fake AV pop-ups and enticing them to download the malicious installer file..

WINTER OLYMPIC’S MEDAL STANDING

Another Malware Writers takes advantage of as the winter Olympics are on-going is the medal standings of each participating countries. They use keyword such as “Medal Count”, “Olympic medal count”, “Olympic standing” in order to be included in search engines and be able to infect users.

Search result for Winter Olympic Medal Standings. Clicking the search result (in red box) would redirect to RogueAV.

Unaware users who wanted to look for medal standings will unknowingly visit one of these malicious sites. Visiting these malicious URLS will download Rogue AV and make the user’s computer have annoying pop ups.

REDIRECTIONS

Upon clicking the enticing malicious URL / link, there will be redirections and some different enticing pop-up messages or web page for the user to click on it and download a malicious file.

Pop-up messages telling that the user's machine is currently infected:

Pop-up messages posing as media player:

The URLs used with these redirections are constantly changed to ensure that propagation of this Rogue AVs are always obtainable for every malicious search result and make certain that it will not be blocked by legit Antivirus Vendors.

Download

As of this writing, there were two types of Rogue AV that can infect user’s computer. One is Security Antivirus and the other is Security Tool (which is a constant download even with the previous RogueAVs’ SEO campaign).

• Security Antivirus file to be downloaded:

- packupdate_build<1-3>_<1-3>.exe

• Security Tool file to be downloaded:

- install.exe or player_update.exe

Execution

Security Antivirus

It comes as perfectly legit looking antivirus software enticing the user to download and purchase it. Looking further, we can say that it is a clone or a family of Rogue AVs called Live PC Care, Windows Security Suite, and Windows System Suite. Upon execution of the downloaded sample, installation on computer takes place. It will display a welcome message before installation and then runs in the background making annoying pop-ups. It also tries to stop execution of all legit AV executables through registry modification.

Installation

Main Window

Security Tool

Upon execution of the downloaded sample, installation on computer takes place. It will then silently drop a copy of itself with randomised filename and registry autorun key for automatic execution upon boot up. The user will only know that installation takes place when a message box appears saying that Security Tool successfully installed.

Same with other RogueAVs it will silently run in the background and make annoying fake AV messages. It also has the ability to prevent legit files to be executed when the user tries to.

Porntube Anyone? Bonus Scareware!

Porn clips are everywhere! But then again, rogue antivirus software are everywhere too.

The fake video codec tactic targets unsuspecting users wanting to view the adult videos purportedly being hosted in the malicious website:

hxxp://porntube2000.com

Clicking on one of the thumbnails presents a video player window with the error message "Video ActiveX Object Error". The message asks the user install a new version of Video ActiveX Object which is actually an installer for Security Tool posing as a fake video codec.

This page also shows the following messageboxes when the user tries to move away from the malicious website and basically does not allow the user to select cancel.

Downloading and installing the presented file install.exe installs Security Tool on the affected computer.

Users of infected machines will have to deal with these annoyances:

Unsuspecting users pay a hefty price of $79.95 for a lifetime software license. Ouch!

Social Engineering Tactics Promote "Miracle" Berries

I received an unlikely Yahoo! IM from a long time friend with whom I have not been in contact with for quite a long time.

Af first I thought, wow this would be a good time to catch up.

She buzzed me and asked me if I was busy, then gave me a URL to try out very quickly and tell her what the results tell me.

Well, here's the screenshot:


The link was: hxxp://freakyloverresults.com

At this time I was already suspicious about the whole thing. So I tried out the link in a controlled environment. There were a series of redirections and my browser was redirected to:

hxxp://www.acaipowermax.com


It seems that whoever I was talking to was not my friend (possibly a bot). She might have been a victim of a phishing scam, and her Yahoo! IM account was being used as part of this social engineering tactic in order execute the Acai Berry spam which has been bugging people for ages.

This one was a bit harmless as the whole exercise was just another form of spam. But as always, I would like to remind everyone to be careful of clicking links, even if they come from people you know.

Fake codec used by porn site

Here's another porn site distributing malware under the guise of video codecs:

hxxp://adultsvideo.cn/

Unsuspecting users wanting to view the adult videos are tricked into downloading and installing the fake codec.

The fake codec can be downloaded from this url:

hxxp://freebigutilites.com/ActiveX-Video-Codec.45092.exe

The server spits out files that have different MD5s each time.

ThreatExpert report here

Update:

Here's another site that purports to host "Free Full Lenght Movie" porn clips and uses fake video codecs in order to lure unsuspecting users into downloading and installing their rogue antivirus software:

hxxp://freeanalsextubemovies.com/video1483/porn/

Clicking anywhere on the video screen area gives us the following link to a file named video.exe:

hxxp://homeamateurclips.com/video/video.exe

Which is a fake antivirus software under the Security Tool family of Fake AVs.

MaCatte scareware fools users by masquerading as McAfee

MaCatte Antivirus is a rogue av that attempts to impersonate McAfee scanners in order to scam users.

This scareware has been seen to be using a bogus My Computer online scan similar to ones we've seen here, here and here.



The online scan can be seen on this url:

hxxp://proscan5.info/25/26-088wLzQzL1EzL==

The downloader being served from this url is time-sensitive and will not work after a period of time. A session ID of some sort is embedded on the binary executable itself. After such time has elapsed, the downloader tells the user to contact MaCatte Antivirus support people. This prevents reverse-engineers from replicating the infection and gathering samples for analysis.

Presence of these files / folders would signal infection from this scareware:
C:\Documents and Settings\All Users\Application Data\msca
C:\Documents and Settings\All Users\Application Data\msca\MaCatte.ico
C:\Documents and Settings\All Users\Application Data\msca\mcull.exe
C:\Documents and Settings\All Users\Application Data\msca\msc.exe
C:\Documents and Settings\All Users\Application Data\msca\Viruses.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Media\WPtect.dll
C:\Documents and Settings\All Users\Desktop\MaCatte.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\MaCatte
C:\Documents and Settings\All Users\Start Menu\Programs\MaCatte\MaCatte.lnk

Unsuspecting users are set back from their hard-earned money by a hefty $99.

Stay away from these rogue apps.