Fake Microsoft Security Essentials warnings

[CORed]

I've run into (I think) two of these in the last week or so. I bit on the first one (if that's what it was). The first time, I followed a link from slashdot, and got a malware warning from Microsoft SecuityEssentials. At least, that's what I though it was, I clicked the button to remove infection, got a prompt to reboot, and immediately after rebooting started getting warnings about hard drive failure from a program called "Smart HDD". I immediately recognized these warnings as fake, as I had never (intentionally) installed this program.

I didn't do too much more before getting rid of this crap, but a little investigoogling revealed that the "Smart HDD" was a bit of extortionware which tries to induce you to pay for an "upgrade" to "fix" the fake hard drive errors. The account I was using was a non-administrator account (Windows XP). I was able to reboot, log in to an administrator account, which was not infected, and MSSE (the real one) identified and removed the infection.

The one thing this crap did that was more than a bit annoying was to set the "hidden" and "read only" attributes on every file and folder to which the account it was installed under had access, as well as turning off the "show hidden files" setting in Explorer, making it appear at first glance that all of these files were gone. It didn't take me too long to fix the problem, since Explorer, if you right click on a directory and turn off those attributes offers the option of applying the change to all subfolders and files. As malware goes, this was pretty easy to get rid of (might have been harder to get rid of if installed from an Administrator account), but I was still mystified as to how I acquired the infection in the first place, until a couple of days ago, I again got a MSSE warning dialog after following a link from a Google search result, almost clicked on the "remove infection" button, then noticed that the thing was dead center in the browser window, and moved with it when I moved or scrolled the browser window.

I have no doubt that had I clicked the button, I would have acquired the same (or some other) malware infection again (probably clicking anywhere in the image would do it). The damn thing is a very good copy of the real Micorsoft Security Essentials dialogs, and I'm now 99% sure that this is how I got the damn malware before. Most likely it's an image made from a screen print of the real thing embedded in the web page. I'm an IT professional, and pretty knowledgeable about keeping garbage off my computer, but I fell for this one.

 

[Gord_in_Toronto]

I was wondering to my wife earlier today about what percentage of the World's PCs are unusable because of things like this that the ordinary user is incapable of fixing?

It can be quite a struggle even if you have considerable computer expertise or access to someone that has. I've known people who have just given up using their computer because it is "broken".

 

[rdaneel]

My mother got this on her computer a while ago, so I did a little searching on my computer and ended up downloading ClamWin Portable which is an antivirus designed to run from a USB flash drive.

The virus did manage to block it on my first attempt, but then I right clicked on the ClamWin executable, selected "run as administrator" and that worked. Cleaned it right out.

 

[CORed]

I was wondering to my wife earlier today about what percentage of the World's PCs are unusable because of things like this that the ordinary user is incapable of fixing?

It can be quite a struggle even if you have considerable computer expertise or access to someone that has. I've known people who have just given up using their computer because it is "broken".

Worst case, you can usually reformat and do a fresh OS install. Of course, if you don't have backups, you will lose your data. This one was actually taken care of by the real MSSE when I ran it as an administrator, but it isn't always that easy. I had a spyware infection several years ago that consisted of three executables, any one of which would generate the other two until all three were killed and deleted. It would also rewrite the registry entry to start the software on startup as quickly as I deleted it. I finally managed to get rid of it by killing processes that I didn't recognize running under my user ID, then deleting the executables.

 

[rjh01]

Windows should be set up so that this sort of thing is impossible. Security should be built in not a add on.

 

[Sam.I.Am]

Windows should be set up so that this sort of thing is impossible. Security should be built in not a add on.

MSSE is "Built in" to Windows. It was added a while back and is available free of charge through Windows Update.

This bit of Malware slipped by through an experienced user opening what appeared to be what they thought was a legitimate warning message. There isn't an anti-virus out there that can protect against users determined to start clicking on stuff. The best that you can do is jack up the settings on some AVs to have it ask anytime you try to open an executable and many users won't put up with that. You have to find a balance between usability and convenience.

This thread was just a heads up to others about what to watch out for in the future and what the fix was.

 

[Fishstick]

Windows should be set up so that this sort of thing is impossible. Security should be built in not a add on.

There's no technological solution to user stupidty. MSE is 'built in', but nothing really prevents people of being logged into their admin account 24/7 and hitting 'Yes' to everything.

 

[Darat]

Windows should be set up so that this sort of thing is impossible. Security should be built in not a add on.

How could Windows be set up in such a way? No insult intended to CORed but this was human error. (Never mind that it was Windows XP.)

 

[SezMe]

Windows should be set up so that this sort of thing is impossible.

Absolute security is absolutely impossible.

 

[rjh01]

I used to work using mainframe computers. Trying to put a virus in one of them, well it never was done. We had several different types of people involved in updating the software. There were the programmers. There were the people who moved the software to a place where they could be used. Then there were the people who used the software. They were all separate groups. Then there was the operating system. That was another area again. A change to any software could not happen unless everyone knew what it was. Each group checked what the other groups were doing. All this without any anti-virus software. Instead there are security programs that said who could do what to what.

But just because one person made a mistake that did not mean that an error of any type was put into the software. Such errors as what CORed made should be impossible even on a PC. The software should not allow it. Windows is getting better, but is still a long way short of what it can be.

 

[Darat]

I used to work using mainframe computers. Trying to put a virus in one of them, well it never was done. We had several different types of people involved in updating the software. There were the programmers. There were the people who moved the software to a place where they could be used. Then there were the people who used the software. They were all separate groups. Then there was the operating system. That was another area again. A change to any software could not happen unless everyone knew what it was. Each group checked what the other groups were doing. All this without any anti-virus software. Instead there are security programs that said who could do what to what.

But just because one person made a mistake that did not mean that an error of any type was put into the software. Such errors as what CORed made should be impossible even on a PC. The software should not allow it. Windows is getting better, but is still a long way short of what it can be.

So what you are saying is that when he wants to install some software a couple of teams of programmers and electronic engineers should come round to his house to do the installation. If not than your anecdote would seem to be rather irrelevant in regards to the topic of this thread!

 

[Dancing David]

But just because one person made a mistake that did not mean that an error of any type was put into the software. Such errors as what CORed made should be impossible even on a PC. The software should not allow it. Windows is getting better, but is still a long way short of what it can be.

Sp how would that work, a user clicks on a button.

So how do you stop that?

What verification would that take? How would you stop this, by closing hyperlinks? By closing .exe files? By closing off Java and Flash?

By preventing users from installing applets and software?

 

[rickps]

I used to work using mainframe computers. Trying to put a virus in one of them, well it never was done. We had several different types of people involved in updating the software. There were the programmers. There were the people who moved the software...

I don't think anyone even thought of a virus back then. As you say there were teams of people doing checks on the mainframe which is clearly unworkable on a PC in someone's home.

 

[Beerina]

I was wondering to my wife earlier today about what percentage of the World's PCs are unusable because of things like this that the ordinary user is incapable of fixing?

My ex in-laws used to stumble into this crap all the time.


Let us christen this "ripoff engineering", though it is also called "social engineering". However, this goes beyond the social manipulation aspect and delves into fractional percentages of victims.

Even if only 1% of the Internet population is stupid enough to click it, that's still millions of people nowadays, leading to huge profits before you loot-n-scoot.

 

[Beerina]

MSSE is "Built in" to Windows. It was added a while back and is available free of charge through Windows Update.

This bit of Malware slipped by through an experienced user opening what appeared to be what they thought was a legitimate warning message. There isn't an anti-virus out there that can protect against users determined to start clicking on stuff. The best that you can do is jack up the settings on some AVs to have it ask anytime you try to open an executable and many users won't put up with that. You have to find a balance between usability and convenience.

This thread was just a heads up to others about what to watch out for in the future and what the fix was.

Ya know, for weeks, what appeared to be my Belkin router software was putting up a popup on boot about updating the firmware.


Their choices were "No" and "YES!" So I never clicked on it.

 

[Blue Mountain]

Windows should be set up so that this sort of thing is impossible. Security should be built in not a add on.

Actually, Red Hat tried something like that a few years ago. Their Fedora Core 2 release of Linux included something called SELinux, which is a set of kernel modules and policy files that describe limits on what any given process can do. The default policy in FC2 was "deny everything."

Ii basically made the release unusable.

Starting in FC3, the "deny everything" policy was replaced with a set of "targeted" policies, so named because they targeted various important processes such as the web server, the printer subsystem (CUPS), and the database engine (MySQL or Postgres), and left userland pretty much alone. Which means that even a properly installed Red Hat Linux system with SELinux enabled can still be affected by malware.

 

[Mongrel]

And not forgetting that when it is built in (even the security lite in Vista and Win 7) people moan that it's annoying\onerous because everything requires more clicks to open or use

 

[CORed]

And not forgetting that when it is built in (even the security lite in Vista and Win 7) people moan that it's annoying\onerous because everything requires more clicks to open or use

I really don't get the complaints about UAC in Vista and 7. For years, with XP, it has been my practice, on both work and personal machines (required at work, of course), to use accounts with administrator privilege only when I actually needed them. For the most part, I do this using the "Run as" option you get when you right click an executable or shortcut to one, rather than actually logging in as an administrator (usually Explorer or a command prompt.

Doing things this way requires you to enter the user ID and password of an administrator account when you want to run something as an administrator. In Vista or 7, you can log in as an administrator, and just click the confirmation when you need to do things that actually require administrative privileges, which is less burdensome than providing a user ID and password. Of course, it's more convenient to just do everything when logged on as an administrator in XP, or disable UAC in Vista or 7 (or server 2008), but it leaves you wide open to malware. Because I was not running as administrator, the infection I got from my mistake was limited to the profile of that user. Had I been logged in as an administrator, It probably would have infected the entire system and been much harder to get rid of.

 

[rjh01]

My point being that security could be a lot better than it is. For example it is very difficult to get a virus on an iPad. If apple can find a solution so can Microsoft. Maybe not such a drastic one. See this article Top 10 Fun Facts About iPad Security.
For example you should be able to get a piece of software to think that it is the only thing running on the computer. Yes, it can use any hardware, but it cannot modify other software. Nor can it get access to most of the data on the computer. Security should not be 'just do this and everything will be OK.' It needs to be a part of everything. This is why it is so hard to explain it. Yes Windows is getting better, but there is still a long way off.

 

[Fishstick]

Again though, you can improve your jailing and chrooting and antivirus and firewalling as much as you like, if something requires elevated priviliges and you require user interaction to do so, it's going to get taken advantage of. Technological security innovation is no match for human stupidity .