We
came across a new rogue security program called Win 8 Security
System a few days ago.
It's been quite some time since we discussed rogue anti-virus software. The
truth is there wasn't much to say about scareware apart from some slightly
modified or extremely buggy pieces of malicious code that couldn't even load
properly. Anyway, rogue security products are not completely gone yet but
rather replaced with ransomware. On the other hand, second opinion malware
scanners confirm that rogue security programs are still the most widely spread
threats, holding the top positions. What that means? Well, it means that most
antivirus programs fail to detect rogue AVs, especially those that are
obfuscated and re-packed very often, sometimes a couple of times a day.
So, Win 8 Security System is a rogue antivirus program that reports non-existent computer infections and tries to scare less computer savvy users into paying for completely useless antivirus solution. In most aspects, it's a very typical rogue. Win 8 Security System is a very generic term too. As the name suggests, cyber crooks would infect machines running Windows 8 rather than Windows XP or Seven. However, this rogue antivirus program works just fine on different versions of Windows.
Once installed, the rogue program pretends to scan the computer for malicious software. It manages to find a bunch of extremely dangerous and sophisticated malware on perfectly clean computers. The way it presents supposedly infected files would definitely put a smile on your faces if you were security expert. In order to remove supposedly detected malware infections victim has to pay almost 100 bucks. That’s probably the most expensive antivirus software you’ve ever seen.
The rogue antivirus program is configured so that it runs automatically when Windows starts. But that's not the biggest problem. Win 8 Security System has a rather complex self-protection mechanism. It drops a rootkit on infected machine which monitors PC activity and blocks pretty much all attempts to terminate the rogue program or run legitimate antivirus software. This scareware doesn't block Task Manager or Registry editor but that changes nothing. You can't just simply end the offending process and delete associated files. Any attempt to end its process will trigger the following error message.
The file is locked and protected by the rootkit known as
Rootkit.Win32.Necurs.gen. As a matter of fact, detection rates are amazingly
low for this rootkit. Cyber crooks did a great job and apparently spent many
hours fine-tuning this malware. What is more, crooks made a different rootkit
which works on 64-bit systems. It even has a valid certificate. Such
combination can be very successful which means it's along term investment. We
will probably see new variants of this malware soon and that's not very exciting.
When running, Win 8 Security
System displays fake security
alerts and pop-ups, mostly claiming that your computer is infected with spyware
and Trojans that can steal your sensitive information. Simply ignore those fake
alerts.
Furthermore, the rogue program displays a fake Security Center window claiming
that your computer is not protected and encouraging you to purchase the full
version of Win 8 Security System to protect your computer from malware attacks
that exploit software vulnerabilities. For Windows Seven and Windows 8 the
rogue program displays a fake Action Center window.
Last, but not least, the rogue program displays fake Win 8 Security System
ALERT in Internet Explorer, Mozilla Firefox, and Google Chrome. The fake web
browser security alerts claims that the website you're about to visit is
infected with malware. If you choose to continue surfing the web unprotected
you will be able to access requested website but only for a short period of
time, then the fake warning message will appear again. Anyhow, it's still
better than having no access to your web browser whatsoever.
