Microsoft is warning about a new piece of malware, Rogue:MSIL/Zeven, that auto-detects a user’s browser and then imitates the relevant malware warning pages from Internet Explorer, Firefox, or Chrome. The fake warning pages are very similar to the real thing; you have to look closely to realize they aren’t the real thing. The ploy is a basic social engineering scheme, but in this case the malware authors are relying on the user’s trust in their browser, a tactic that hasn’t been seen before. 

Beyond the warning pages, the actual malware looks like the real deal: it allows you to scan files, tells you when you’re behind on your updates, and enables you to change your security and privacy settings. Performing a scan results in the product finding malicious files, but of course it cannot delete them unless you update, which requires paying for the full version. Attempting to buy the product will open an HTML window that provides a useless “Safe Browsing Mode” with high-strength encryption. To top it all off, the rogue antivirus webpage looks awfully similar to the Microsoft Security Essentials webpage; even the awards received by MSE and a link to the Microsoft Malware Protection Center have been copied.

While the malware is a pretty good attempt, it’s not perfect. The goal is to get the user to download and install something, shelling out some cash in the process, which neither of the three browser vendors would ever recommend. The Firefox warning page, meanwhile, has an obvious typo (“Get me our of here”). In addition, it’s suspicious that a webpage is going out of its way to tell you it is protecting your purchase. It’s also not hard to check that the supposedly detected files do not actually exist on the user’s computer. All of these missteps should raise red flags immediately; having said that, we’ve still not before seen this level of detail and effort from the bad guys.

Malware progress

Just two years ago, a fake malware warning page and a fake antivirus looked like this:

Now, we’ve got a much more believable malware warning that changes based on which of the top three browsers you are using (compare Internet Explorer, Firefox, and Chrome):

We have a full-blown webpage that tries to sell a fake antimalware product and rips off Microsoft’s own offering:

Finally, here’s the fake antimalware product which uses various Microsoft security icons:

Malware authors have come a long way recently and this latest effort is worrying because even informed users can easily be tricked by something like this. Thankfully, there’s a universal rule that still applies: don’t download something simply because a webpage says you should.

Read the comments on this post