A New Spin on Rogue Antivirus

Rogue antivirus malware is on the decline, but a new, simpler version of that threat that simply redirects users to the site of a fake malware protection service has been infecting users around the world.

Rogue antivirus was once the scourge of the Internet, and while this sort of malware is not entirely extinct, it’s fallen out of favor among criminals as users have become more aware and security products have gotten better at blocking the threat.

Image via TechNet

Image via TechNet

However, Daniel Chipiristeanu, an antivirus researcher at the Microsoft Malware Protection Center (MMPC), claims that a simpler, and primarily browser-based, version of the fake antivirus scheme has proven more effective in recent months.

The MMPC says that once a user machine is compromised by once such piece of malware, Rogue:Win32/Defru, it blocks users from browsing to a long list of popular websites on the Internet and instead presents an image familiar to anyone who’s dealt with rogue antivirus in the past.

“When the user is browsing the Internet, the rogue will use the hosts file to redirect links to a rather infamous specific fake website (pcdefender.<removed> IP 82.146.<removed>.21) that is often used in social engineering by fake antivirus malware,” Chipiristeanu explained on Microsoft’s TechNet blog.

Image via TechNet

Image via TechNet

While the user will see the above image in their browser window, the URL in the address bar will be that of the website the user intended to visit in the first place. In other words, the malware quietly redirects the user to a new website, but the address bar does not reflect that movement. If the user tries to access another website, the threat follows. The message reads:

Detected on your computer malicious software that blocks access to certain Internet resources, in order to protect your authentication data from intruders the defender system Windows Security was forced to intervene.”

The fake scanner shows users a long list of non-existent malware it claims to have found on the computer in question. Then it offers to clean the system for a fee. If the user clicks the “Pay Now” button, he will be redirected to a payment portal called “payeer.”

Image via TechNet

Image via TechNet

Chipiristeanu claims that paying the fee will not fix the problem.

At the moment, most of Defru’s victim-machines – as is indicated by language – appear to be located in Russia. The United States is a distant second to Russia with Kazakhstan following closely behind in third. The remaining infections are mostly in eastern European and Middle Eastern states with some infections in western Europe as well.

You can find the list of redirected sites with the detailed Defru malware information.

“The rogue is written in PHP, uses a PHP EXE compiler (Bambalam) and will copy itself to %appdata%w1ndows_<4chars>.exe (e.g. ‘w1ndows_33a0.exe’),” Chipiristeanu explains. “It persists at system reboot by adding itself to the registry key HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun with the value ‘w1ndows_<4chars>’.”

“The user can clean their system by removing the entry value from the “run” registry key, delete the file from disk and delete the added entries from the hosts file.”

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.