Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

June 29th, 2010

Defense center and a piece of luck

One of our users sent us a sample of rogue AV for analysis. He didn’t attach further informations and the binary was heavily obfuscated, so I decided to give it a shot inside a virtual machine. A virtual image of clean (freshly installed) Win XP was used to run it and this screen appeared:

Oooh, my clean OS is so much infected? Even well known windows libraries? Of course not! These “infected” files are randomly selected during first run of the fake-scan. Names of these files are stored in registry to keep them constant between sessions. The intention of this rogue is absolutely clear-cut: the authors want to scare you and get your money for the paid version that claims the ability to fix all the (fake) problems. They’re constantly nagging you with additional warnings, such as:

which is in fact pretty ridiculous, because the VM is fully disconnected from network. Almost anything you click leads you to buy the product. Since my VM has never been connected to internet, I started to think that I’m not a lucky guy and this famous product will always remain in a demo mode. I was really, really sad and in this unsettled state of mind I simply put my hands on a keyboard and accidentaly pressed some keys (believe me, it wasn’t my will). My accidental touch with keyboard generated this screen:

Doesn’t it look like an act of pure accidentality? Look, when a monkey can write Shakespeare’s plays (http://en.wikipedia.org/wiki/Infinite_monkey_theorem), why couldn’t I write this. When I noticed the text – defense@center.free – I pushed the “Activate” button, believing it must be something mystic (and I generally like the idea of free antiviruses). Defense center restarted itself.

Woooow, what a piece of luck! Awesome! Defense center seems to run in full mode now. Let’s click the ok button.

Fantastic! No more nags. All shields on and there’s also a number to their live support. That’s something what’s definitely worth to try. Now I’m really satisfied and I’ll probably suggest the user who sent us the file to keep this great software on his PC and activate it like I did.

Ok, without kidding – Defense center is a typical rogue software and its presence on your system is unwelcome. This article only describes what happens when you register such application. To be honest – this rogue is not that aggresive and can be easily terminated from Task manager (and similar tools), however it’s still a fraud and you should spend your money somewhere else.

  1. July 1st, 2010 at 15:11 | #1

    Hi Michal,

    Nice article to share with us and other user, it would very useful information to share.

    And is it possible to describe how this malware work in terms of attacking the user in their machine?

    cheers,

  2. July 1st, 2010 at 17:44 | #2

    @yanto chiang
    We received the file without any context, but I expect a similar way to other rogues. Black SEO -> exploit/redir/iframe -> download -> run.

  3. Deborah
    July 1st, 2010 at 23:53 | #3

    Well, my laptop is infected with Defense Center. No, I didn’t install it. And Avast did not catch it. Avast isn’t even aware of it.

    I’ve used Malwarebytes.com to remove viruses, trojans, etc., but my laptop is still infected.

    Could you provide some steps to remove it from the machine?

  4. July 2nd, 2010 at 10:33 | #4

    @Deborah
    All samples of Defense center that arrived at our viruslab are detected as Win32:FakeAV-AMD [Trj]. Check whether your avast! and its virus definitions are up to date. Btw: I can suggest you to start a thread on our forums (http://forum.avast.com), which is a better place to solve such issues ;-)

  5. July 2nd, 2010 at 13:44 | #5

    Oh my god, look at the “registered” message, looks like they were in a hurry when they were writing the text :)

    Like these:
    “THANKS for purchasing and REGISTRATION Defense Center” – They couldn’t write a “Thank you”, and Registration could be “registering”
    “Do not use Defense CenterTOGETHER with other antivirus softwares” – missing “space” between the Center and the Together words

    And everyone can detect a rogue from it’s “skin”, all the rouge screens I saw had “Vista-like” backgrounds, buttons, the Windows Security warning’s images (on Vista or Win7 – or a bit modified) and some Windows Images (“X” signs, question marks). Also, The “drawed” text has got some precision problems.

    Another thing: on the last image, you have ALL “protection” enabled but it keeps saying “Your computer is not protected”

    I didn’t had rogue av on my system since I’ve got my computer but I don’t want to “try” them out :)

    Thank you for informing us from this new “defense” :)
    Keep up the good work! ;)

  6. July 2nd, 2010 at 14:39 | #6

    @Hanziness
    They’re not native English speakers IMO, but I might be wrong.

    The last screenshot was taken before I clicked “Remove threats” button in main window, that’s the reason of the “unprotected” state. When I clicked the “Remove threats” button, the rogue started to simulate a disinfection (it tried to fool me with a “deletion” of system binaries, which remained untouched in fact) and after a reboot the “unprotected” message disappeared.

  7. July 3rd, 2010 at 10:39 | #7

    Oh, I understood :)
    Thank you

  8. mario
    July 4th, 2010 at 07:39 | #8

    @Michal Krejdl
    hello i know this comment is off topic and all but help me i need help on how do I reset the notepad file on my computer for the WebShield settings so it don’t show any infected thing that is on the notepad file do I just delete the notepad file or what please help

  9. July 5th, 2010 at 08:56 | #9

    Michal Krejdl :
    @yanto chiang
    We received the file without any context, but I expect a similar way to other rogues. Black SEO -> exploit/redir/iframe -> download -> run.

    Hi Michal,

    Thanks for your kindly information,

    cheers,
    yanto chiang

  10. spg SCOTT
    July 5th, 2010 at 20:58 | #10

    Did you try the phone number? :D

    Not having encountered the fake AV when installed myself, I have encountered those you have been infected sites…

    I’m on linux, browsing to a site I know is infected, when it tells me that my pc is infected, and it will scan it…All of a sudden, my linux VM has become windows, with a whole compliment of trojans and such…It then had me download the install file for the scanner to install on my system…but alas it didn’t work…oh well, I’ll just stick with the infections… :D

  11. July 6th, 2010 at 06:59 | #11

    My other computer is infected. The virus freezes the system about 1/3 of the way thru a thorough system sweep. (I’m using home user Avast.) Is there a way that I can direct my anti-virus sys. to do a sweep in the blue screen (before Windows is active.) I have a PC running windows 8, the latest version of Avast home edition. The computer in question has been down for 4 days. My daughter tells me that she received an e-mail warning about an infected “ADOBE” software update. Like the article about phony anti-virus programs, I too have fought with this “self-inflicting” solution.

  12. July 6th, 2010 at 10:34 | #12

    @spg SCOTT
    Nope, becuase no issues occured since I registered the product – there’s no reason to call a support :P :D

    BTW: if anyone could try it, it might be quite funny

  13. July 6th, 2010 at 10:38 | #13

    @Stan Osborne
    Again – visit our forums, it’s a better place to discuss such issues.

  14. July 11th, 2010 at 06:56 | #14

    como saber si lla no esta en mi computadora, av security lla que avast no lo podia localizar al escanear la computadora, y lo que hice use superantispyware y fue lo que lo localizo a av security y lo borro soy nuevo en esto y quisiera saber que aser en esos casos como borrar programas con mala intencion no detectados por avast

  15. Lisandro
    July 13th, 2010 at 03:16 | #15

    Funny :)

  16. Jo
    July 24th, 2010 at 00:32 | #16

    Please, please, do NOT let this popup on my screen again!!!

  17. July 25th, 2010 at 09:31 | #17

    That computer is really messed up lol!

  18. July 26th, 2010 at 19:28 | #18

    I had a client PC infected with Defence Center. I don’t know if it was the payload of Defence Center or not, but the PC also had a rootkit – \windows\system32\drivers\disk.sys had a rootkit.

    In addition to the Defence Center popup, running netstat -A showed hundreds of outbound connections to various web advertisements, leading me to conclude the rootkit was being used for Clickfraud to run up advertising revenues for the bad guy who had his payload put on the rootkit.

    Had to turn off System Restore to prevent reinfection, delete all old System Restores, then manually remediated disk.sys with a known good file from another system in addition to using standard manual removal techniques (kill the process, delete all temp files, analyze autoruns to locate the infector, rename the executable to disable it, delete after reboot).

    This client did not have Avast! but a competing product (one of the big names in the USA) sitting fat, dumb and happy and thinking all was well while the system was pwned by the malware.

Comments are closed.