Fake Microsoft Installer Leads to Malware, Support Call Scam

Malware that uses a fake but realistic looking Windows message to convince users it’s a Microsoft Security Essentials installer has been making the rounds through drive-by download attacks, experts warn.

If installed, the malware triggers a phony blue screen of death (BSoD) window that warns users their “PC ran into a problem.” To remedy the issue, the malware encourages users to call a support number, which could lead to further infections, according Microsoft.

Malware that tricks users into thinking they need to call technical support isn’t revolutionary, but is on the rise, according to experts at Microsoft, who discovered this particular threat, which it calls Hicurdismos.

The company began warning about the malware, which surfaced last week, in a blog entry at its Malware Protection Center last Friday.

According to MMPC researchers Francis Tan Seng and Alden Pornasdoro, a user would have to bypass warnings that pop up on both Internet Explorer and Edge in order to download the malicious .exe file. Once on the system, the file sports the same blue castle logo that Microsoft’s Security Essentials uses however, which could further deceive users into installing the malware.

hic4

As soon as the executable file is run, the malware hides the mouse cursor, disables Task Manager and displays a fake BSoD image.

Microsoft warns that calling the fake support number could either lead to the installation of further malware, or the installation of software intended to fix a problem that doesn’t exist. When reached Monday – the number is still connected – a voice on the other end of the phone insisted the number was a “Microsoft-certified support company” but wouldn’t provide any information about where it was located or what its name is.

As Tan Seng and Pornasdoro point out, a legitimate blue screen of death screen include an error code so users can search for more help and never include a phone number. Victims are encouraged to report incidents involving the malware to Microsoft and the Federal Trade Commission.

For many current Windows users Security Essentials hasn’t been relevant in quite some time. The software was an antivirus solution that Microsoft bundled with Windows 7 in 2009 but discontinued with Windows 8 and 10.

Microsoft ships Windows Defender, replacing Security Essentials in Windows 8 and 10. Still,  that may not stop some users from thinking they still need to download and install this fake version, Tan Seng and Pornasdoro claim. The error message that Hicurdismos displays mimics the same error message that Windows 8 and 10 displays, something else that may trick users.

Malware purporting to be legitimate Windows software has become a bit of an institution over the years. A strain of ransomware, Fantom, was discovered two months ago masquerading as a fake critical Windows update. The malware, based on the open source EDA2 ransomware project, encrypted victims files under the guise of a fake update screen. The ransomware duped users by saying it was “configuring critical Windows updates” while it displayed a spinning counter that ticked off percentage points as it encrypted files.

Last summer, shortly after Windows 10 was released, attackers began launching spam and phishing email campaigns around the operating system. Victims received messages claiming users could upgrade to Windows 10 for free. Those who downloaded the malicious .zip archive were ultimately hit with CTB-Locker ransomware and had their files encrypted.

The FTC took aim at shady tech support organizations two years ago, shuttering a handful of services which used software to trick users into thinking their computers were broken. That particular scam depended on consumers downloading software that boasted it would enhance a computer’s performance or security. Consumers would have to call a number where additional bogus software would later be pushed.