{"id":6335,"date":"2017-01-23T15:50:25","date_gmt":"2017-01-23T23:50:25","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/01\/23\/news-173\/"},"modified":"2017-01-23T15:50:25","modified_gmt":"2017-01-23T23:50:25","slug":"news-173","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/01\/23\/news-173\/","title":{"rendered":"Beware of Hicurdismos: It\u2019s a fake Microsoft Security Essentials installer that can lead to a support call scam"},"content":{"rendered":"

Wouldn\u2019t it be a shame if, in trying to secure your PC, you inadvertently install malware and run the risk of being scammed<\/a>?<\/span><\/p>\n

We recently discovered a threat detected as SupportScam:MSIL\/Hicurdismos.A<\/a> that pretends to be a Microsoft Security Essentials<\/a> installer. Microsoft Security Essentials is our antimalware product for Windows 7 and earlier<\/a>. In Windows 10 and Windows 8, Windows Defender provides antimalware protection and is installed and enabled by default when Windows is installed. However, some users may believe they also need to download and install Microsoft Security Essentials.<\/span><\/p>\n

Hicurdismos<\/a> uses a fake Windows error message (sometimes called a \u201cblue screen of death\u201d, or BSoD) to launch a technical support scam. A real BSoD is a fatal error in which the screen turns blue and the computer crashes. Recovery from a BSoD error typically requires the user to reboot the computer.<\/span><\/p>\n

The fake BSoD screen includes a note to contact technical support. Calling the indicated support number will not fix the BSoD, but may lead to users being encouraged to download more malware under the guise of support tools or software that is supposed to fix a problem that doesn\u2019t exist.<\/span><\/p>\n

Interestingly, the fake BSoD screen used by Hicurdismos<\/a> mimics an error message used in Windows 8 and Windows 10, so users of these new Windows versions could also be at risk of being tricked by Hicurdismos<\/a>.<\/span><\/p>\n

The threat of technical support scams<\/a> has been around for years, but it\u2019s recently been observed to be growing. We\u2019ve seen attackers becoming more sophisticated with their social engineering tactics to try to mislead users into calling for technical support and then they are asked for payment to \u201cfix the problem\u201d on the PC that does not exist. Real error messages from Microsoft do not include support contact details. See the bottom of this blog for links and information on how to contact Microsoft Support.<\/span><\/p>\n

\"Hicurdismos<\/a><\/p>\n

Figure 1. Hicurdismos displays a fake BSoD message that has contact details for fake support. Note: The real messages do not include support contact details, nor when you call for support are you asked for payment.<\/em><\/p>\n

Hicurdismos<\/a> is an installer that arrives via a drive-by download<\/a>. SmartScreen Filter<\/a> in Internet Explorer and Microsoft Edge flags this threat using the below prompts cautioning the user to not run or save the malware:<\/span><\/p>\n

You will not get warnings like these when downloading and installing legitimate programs from Microsoft.<\/span><\/p>\n

If the malicious installer is downloaded on the computer, it mimics the real Microsoft Security Essentials installer by using a similar icon. However, closer inspection will reveal differences in the file properties, including the filename. Hicurdismos<\/a> uses the file name setup.exe<\/em>. <\/span><\/p>\n

\"Screenshot<\/a><\/p>\n

Figure 2. SmartScreen message notifying you about running an executable file that could harm your PC.<\/em><\/p>\n

\"A<\/a><\/p>\n

Figure 3. SmartScreen message notifying you that the program you are about to run hasn\u2019t been verified, and doing an extra check of whether you\u2019d still run it.<\/em><\/p>\n

\"The<\/a><\/a><\/p>\n

Figure 4. The <\/em>Hicurdismos<\/em><\/a><\/span> installer (right) attempts to mimic the icon of the real Microsoft Security Essentials installer (left), but file properties reveal that it is not the same.<\/em><\/p>\n

The file setup.exe<\/em> is a SmartInstaller package, which contains a malicious file that pretends to be Microsoft Security Essentials. Unlike the installer, the malicious file has the same file property information as the legitimate Microsoft Security Essentials executable: <\/span><\/p>\n

\"The<\/a><\/p>\n

Figure 5. The file property information of <\/em>Hicurdismos<\/em><\/a><\/span> has the same details as Microsoft Security Essentials.<\/em><\/p>\n

When run, the malware immediately renders the fake BSoD experience. To do so, it performs the following:<\/span><\/p>\n