Microsoft is warning that a new sophisticated malware has the ability to fool users to clicking on it because it can copy the UI and appearance of an official security alert presented by Firefox, Chrome, or Internet Explorer. The malware called Rogue:MSIL/Zeven will be able to detect which browser a user is using and then display a warning message prompting users to scan for viruses and threats. The ploy in the end is to get the computer user to hand over payment for a removal tool after the malware reports back that it has detected a threat or vulnerability on a user’s system.
The way it works is that the malware will present a dialogue box that looks official enough to get the users to click on. After that, the malware will cleverly disguise itself as an official Windows tool, allowing users to download security and system updates, change preferences, and scan a user’s computer. It will then display a false threat alert with files that the program says it cannot remove without the aid of a paid malware removal tool, asking the user to purchase the tool. In reality, those files that were supposedly detected never existed on a user’s computer to begin with, and the ploy really is to get payment.
According to ArsTechnica, “Attempting to buy the product will open an HTML window that provides a useless “Safe Browsing Mode” with high-strength encryption. To top it all off, the rogue antivirus webpage looks awfully similar to the Microsoft Security Essentials webpage; even the awards received by MSE and a link to the Microsoft Malware Protection Center have been copied.”
There are some simple ways to spot that this tool is not a legitimate tool and is a malware in disguise. First, neither Chrome, Firefox nor Internet Explorer would ask users to purchase a malware removal tool. Second, Firefox users will notice that there is a glaring typo on one of the dialogue boxes, saying, “Get me our of here.” ArsTechnica is also saying that the malware is really going out of its way to say that it is “protecting your purchase.”