By Andrew Brandt
A new Windows Update-themed stupid malware trick that’s making the rounds appears to be trying to capitalize on the recent frequency of “out of band” Windows patches Microsoft has been releasing lately.
The spy, which serves as nothing more than a vehicle for the fraudulent sale of a fake product called Antimalware Defender, so closely resembles a Windows Update installation dialog that some members of our threat research team who saw these files had to pause and look carefully at the dialog box before deciding it is, in fact, a big fat hoax. Even the Microsoft Knowledge Base article the dialog box references is a real KB article…though it has nothing to do with security.
The entire scam is facilitated through a nearly-1MB DLL file, which contains all the instructions required to display the fake popups from the System Tray, the fake Windows Update dialog box, and the fake antivirus “scan” window which appears when you play along with the app. The DLL appears when you visit certain Websites that push drive-by downloads at visitors.
As with real Windows Update dialog boxes, clicking the various hotlinked lines of text in the fakealert’s dialog box actually takes you to various other locations. For instance, the initial window that appears has a link labeled “Change automatic updates settings” that leads to the real dialog box where you would modify how your computer handles automatic updates. Another link leads to a real page on Microsoft’s Web site that provides very general information about malicious software.
If a user clicks the “Install now” button, the program doesn’t actually install anything. Instead, the spy kicks into a different mode, where it displays a window that purportedly shows some sort of antivirus scan (with the expected large number of bogus detections). The spy only writes a copy of itself (and, if you take the time to dig even deeper, a copy of its own help file) to the temp folder.
Once running, a victim is coerced into buying a “license” to this nonexistent product. The purchase process looks remarkably similar to dialog boxes generated during the online activation of Windows when you first install it.
The program displays the order form within its own user interface; The form is loaded from a secure Web site whose real source is hidden from view by the program’s UI.
It even tells curious victims to go to http://www.microsoft.com and search for Antimalware Defender if they remain suspicious. To satisfy my curiosity, I did. All I found were references on Bing to the rogue itself, calling it out as a fraud. I suppose the creators of this fraud assumed most victims would be mollified by references to Microsoft’s Web site alone, and would be too lazy to simply follow the instructions the criminal himself provided.
I pulled up some interesting details (shown above) about the IP address that my computer contacted to load the order form. It looks like this IP is being used for a number of these scams.
Identifying the file isn’t all that hard if you’re accustomed to using Task Manager or Process Explorer to watch what’s running on your PC. Unlike a real Windows Update session, these fake updates appear as a DLL running from the temp folder with the words “start worker” in the command line. Once you kill this process, you can empty your temp folder and be done with this nuisance.