Tuesday, October 21, 2008

New Ransomware Emerges With Fake Windows Security Center

Last week Computer Associates posted details on their blog about a new trojan that mimics (very accurately) the actual Windows Security Center and holds computers hostage demanding users pay for an application to remove the virus.

Much like older versions previously scene the newest version of ransomware is installed by a trojan and falsely warns the user of non-existent infections (the true infection is the fake Security Center). The infection runs as the process seccenter.exe, which launches the fake security center interface. The malicious file is located at c:\windows\system32\seccenter.exe. A complimentary process runs here: c:\windows\system32\drivers\lssas.exe. The infection alters the registry settings that deal with a variety of critical system settings such as proxy settings: HKCU\Software\Microsoft\windows\CurrentVersion\Internet ProxyEnable Settings\ with the ValueData: "0x0".

The “security center” repeatedly nags the user to download “Windefender 2008” by blocking outgoing Internet connections and opening a security bar like the one below and also by blocking the webpage from loading properly. By limiting the user’s Internet connection to primarily downloading WinDefender 2008 (win-defender(DOT)com/export/shield.php), the user cannot download a legitimate anti-malware product to remove the infection. This is not a new technique – past infections have blocked users from updating their anti-malware products or connecting to legitimate security sites. This infection returns ‘the page cannot be displayed error’ and on that page a link to WinDefender 2008 is also displayed.

The infection channels the infected users to download WinDefender and hopes the user finds the process legitimate enough to cough up $40.00 to pay for the fake software. If hit with this nasty little piece of spyware don't visit their site, and please don't pay a ransom to get your computer fixed. Use your favorite anti-malware software, Spy-Bot Search & Destroy, Ad-Aware or Smitfraudfix should be able to remove the infection.

For more details and screenshots visit the Computer Associated Blog.

No comments:

Post a Comment

All comments will be moderate for content, please be patient as your comment will appear as soon as it has been reviewed.

Thank you