Top Threats

4 Posts authored by: Nitin Kumar

Compromised websites have been an attractive target for cyber-criminals. These websites distribute different malwares designed to steal valuable information from the victim’s machine

Compromised websites has scripts, iframe to redirect or download other malwares.

fakeav1.jpg      fakeav2.jpg

The link to the compromised website may arrive via email as part of a spam campaign to lure the user into clicking the malicious link. After accessing the compromised website, it shows a fake message box about critical process activity on the computer.


On clicking the OK button, it opens a .PNG file hosted in the compromised site. This .PNG file shows a fake alert image pretends to be from a security product that scares the user into thinking the computer is infected by critical malware and suggests that the user clean the computer.


The compromised website has another iFrame that allows downloading a malicious file when the user attempts to click on the .PNG file.


Upon executing the malicious file, it shows variety of fake security alerts and warnings. Also, this rouge variant uses a different GUI, depending on the version of the operating system it infects.


As on windows 7:


Windows vista;


Finally, it attempts to convince the user to purchase the full version of fake product.

McAfee strongly recommends that users exercise caution when opening unsolicited emails. Ensure your anti-malware protection is up to date. Use a reputable firewall. Beware of drive-by downloads when visiting any new websites. McAfee detects this malware as “FakeAlert-FFO” and the .jar file as “Exploit-CVE2012-1723”.

OpenCloud Security FakeAlert are commonly found to be installed by other trojandownloaders. These trojans usually arrive as e-mail attachments, or via drive-by-downloadattacks exploiting vulnerabilities in Windows and third-party applications.

Upon execution, It copies itself to the following paths:


  • %USERPROFILE%\Application Data\ OpenCloudSecurity\OpenCloud Security.exe
  • %ALLUSERSPROFILE%\Application Data\ OpenCloud Security\OpenCloud Security.exe

This FakeAlert evolves its appearance and may present itself using one ofthe following graphical user interfaces:




This infection will also terminate the majority of programsthat you attempt to run.

When you start an executable it will automatically beclosed and you will then be shown a security warningfrom the Windows taskbar stating that the program is infected.



While running, this fakealert will display a variety of fake security alerts and warnings . The various alerts are shown below:








  • Users should be cautious with suspicious e-mailattachments.
  • Users should apply the latest security patches for Windows and third-party applications including the following, which are popular targets:
    • Internet Explorer
    • Microsoft Office (Excel, Word, PowerPoint, etc.)
    • Adobe Reader
    • Java
    • Flash Player
    • RealPlayer
    • QuickTime
  • Users should browse the website cautiously, avoid to browse unknown site.


Note: If you are already infected with the this fakealert and not able to execute anything.

Start the machine in 'Safe Mode with Networking' and run the McAfee FakeAlert Stinger <>

keep the sensitivity Level to 'very high' , it is 'verylow' by default.

Nitin Kumar


Posted by Nitin Kumar Aug 3, 2011

There is another 2012 fakeAV with a commonly known name ‘XPInternet Security 2012’ and 2011 is still not completed.

This Fake AV looks same as ‘XP Security 2012’ (check blog @ ecurity-2012 )

When it is successfully executed, it shows whole system just of pile of malicious files.


It is really scary if one who is not aware of this rogue AV look at this picture, what is the next step to do- Get rid of these viruses andhow to do it – get registered for this software.

This is not free, go to registration page which has a user reviews for same software to look genuine.



Now one more step - Buy this software and scan with it, that’sthe Catch! – Attack Successful.

User should be careful about these fake AV , should not download any fakeAV from other than genuine site. Especially when it comes to spend money, first confirm that you are buying genuine product.

Have the updated Anti-Virus and enable real time scanning. McAfee detects this as FakeAlert-Rena.* variant.


If you are infected any fakealert, download McAfee FakeAlert Stinger < > and scan the system with this, also start a discussion at McAfee Top Threat community < >.


Do not surf malicious site- Use SiteAdvisor ( ).

Nitin Kumar

Is it really defender?

Posted by Nitin Kumar Jul 22, 2011

One of the prevalent fakeAlert trojan found nowadays is ‘defender.exe’. McAfee detection is on this fakeav is FakeAlert-Rena variant.

It's icon is generally like shown below:



When this fakeAV is executed, it copies itself hidden to thelocation “%appdata%\defender.exe”, and display the window as below:


It creates a start up registry so that every time windows starts , defender.exe runs.

This trojan tends to be distributed along various channels such as emails, malicious web pages, Inter Relay Chat channels (IRC) and some peer-to-peer networks. It is also highly capable of downloading additional malware onto the infected computer system, usually from a remote internet website, which is ultimately executed on a local system.

e.g. hxxp://*****


The best practice to prevent and deal with this infection is keep a fully functional and updated Anti-virus on your machine, avoid surfing malicious sites etc.

Filter Blog

By date:
By tag: