Microsoft Released Security Essentials Antivirus, Malicious SEO Poisoning Comes Right After
Microsoft first released a public beta of its Security Essentials antivirus suite back in June and it was met with mostly positive reviews. Today Microsoft has released the final version of Security Essentials and anyone running Windows XP, Windows Vista, or Windows 7 can download it for free.
Microsoft Security Essentials offers basic antivirus, spyware, and malware protection. It also offers real-time protection and regularly updated malware signature files via Microsoft’s Dynamic Signature Service.
Since Microsoft Security Essentials provides the bare minimum protections for a Windows-based machine, other niceties such as a firewall and multi-PC management are not available. This should appease Microsoft’s competitors in the anti-malware software segment.
Microsoft Security Essentials replaces the Onecare offering and the free Defender installation standard on Vista installations. It will provide you with malware detection and removal ONLY. So do not rely on this as your one stop shop for security. It does not have the features and functionality that many of the AV vendors provide in their products. Think of this as the AV as it used to be in 2000 or so. Detect rates seem to be quite good according to testers reports.
Those who wish to try out the software can download it directly from the Microsoft Security Essentials website. The download requires that your PC pass Windows Genuine Advantage checks, so only legit Windows users will have access to the software.
Shortly after the release of Microsoft Security Essentials, Websense Security Labs has reported that search engine results related to Microsoft’s Security Essentials are returning links to Web sites that serve rogue AV.
Malware authors have used Search Engine Optimization (SEO) techniques to mix rogue search results in with legitimate results. For example, one of the rogue links is directly under a MSDN blog entry discussing Microsoft Security Essentials. The rogue redirects are hosted on compromised Web sites, including a Canadian publisher’s Web site and the British Travel Health Association.
When a user browses to the compromised Web sites, so long as they have been referred by a search engine, they are redirected to malicious Web sites with domain names such as computer-scanner21 and computervirusscanner31.
An example of one of the payload files shows that AV detection is low. One such file is named Soft_71.exe. If the user downloads the application, a file with extension .tif is downloaded in the “program filesTS” directory as TSC.exe and system.dat (the .tif file is decrypted/decompressed and split). The payload then executes “tsc.exe -dltest” apparently connects to a NASA Web site, to check internet connectivity. Finally, “tsc.exe” is executed with no parameters, and the rogue AV starts. (In the background the original file is deleted).
According to Websense, it appears that the malware authors set up a trial run of SEO poisoning techniques, before converting the redirects to deliver rogue applications today. Screenshot of Google search results:
Screenshot of rogue AV Web site:
Screenshot of download prompt:
Credit: DailyTech.com, SANS ISC, Websense Security Labs
More on CyberInsecure:
Posts
October 1st, 2009 at 12:34 am
hi
thanks for sharing this very helpful information.