Michal Krejdl

29 June 2010

Defense center and a piece of luck

One of our users sent us a sample of rogue AV for analysis. He didn't attach further informations and the binary was heavily obfuscated, so I decided to give it a shot inside a virtual machine. A virtual image of clean (freshly installed) Win XP was used to run it and this screen appeared:

Oooh, my clean OS is so much infected? Even well known windows libraries? Of course not! These "infected" files are randomly selected during first run of the fake-scan. Names of these files are stored in registry to keep them constant between sessions. The intention of this rogue is absolutely clear-cut: the authors want to scare you and get your money for the paid version that claims the ability to fix all the (fake) problems. They're constantly nagging you with additional warnings, such as:

which is in fact pretty ridiculous, because the VM is fully disconnected from network. Almost anything you click leads you to buy the product. Since my VM has never been connected to internet, I started to think that I'm not a lucky guy and this famous product will always remain in a demo mode. I was really, really sad and in this unsettled state of mind I simply put my hands on a keyboard and accidentaly pressed some keys (believe me, it wasn't my will). My accidental touch with keyboard generated this screen:

Doesn't it look like an act of pure accidentality? Look, when a monkey can write Shakespeare's plays (http://en.wikipedia.org/wiki/Infinite_monkey_theorem), why couldn't I write this. When I noticed the text - defense@center.free - I pushed the "Activate" button, believing it must be something mystic (and I generally like the idea of free antiviruses). Defense center restarted itself.

Woooow, what a piece of luck! Awesome! Defense center seems to run in full mode now. Let's click the ok button.

Fantastic! No more nags. All shields on and there's also a number to their live support. That's something what's definitely worth to try. Now I'm really satisfied and I'll probably suggest the user who sent us the file to keep this great software on his PC and activate it like I did.

Ok, without kidding - Defense center is a typical rogue software and its presence on your system is unwelcome. This article only describes what happens when you register such application. To be honest - this rogue is not that aggresive and can be easily terminated from Task manager (and similar tools), however it's still a fraud and you should spend your money somewhere else.

Threat Research, Security News