Protector Rogue Re-emerges

By | December 10, 2013
Print Friendly, PDF & Email

Most of you know that Emsisoft is our top pick for virus and malware protection. Always ranked highly by the most respected anti-virus testing labs, Emsisoft continues to stay ahead of the pack. By keeping on top of the latest threats, Emsisoft is ready to protect you BEFORE the next big troublemaker comes along. Nothing illustrates this better than this article from the  latest Emsisoft Newsletter:

(From Emsisoft’s latest newsletter…used with permission)

As recently discussed in our post about Hacking Identity Theft, there are number of ways that malware can work its way onto your computer. One of the most common modes of entry is through a Trojan Horse program that fools you into installation by presenting itself as a useful plug-in or application.

Rogue security software is a type of Trojan that presents itself as antivirus software, and right now there is a very pesky type of rogue circulating the Internet that is very similar to what was called The Protector Rogue, in 2012.

The Protector Rogue took its namesake from the file-name protector-xxx.exe (where x’s were random letters). This malware was very common until it was for the most part eradicated in September of last year. This new version of the Protector Rogue has the file-name guard-xxx.exe and the registry run value GuardSoftware.

Because hackers are generally lazy, they usually base new malware of off older versions, and GuardSoftware has many of the same components that Protector did. In fact, despite the name change, even the Graphical User Interface (GUI) is still setup for Windows XP.

rogue1

This unchanged GUI is a dead giveaway to anyone running anything past XP. The makers of GuardSoftware have implemented a few new tricks, however, and it’s for this reason that the malware is starting to work. GuardSoftware’s installer, or dropper, has a valid digital signature, which makes it more trustworthy to the human eye at glance and which will bypass certain forms of heuristic detection.

rogue2

At the same time, GuardSoftware utilizes hijacking techniques not previously observed in comparable rogue programs. After installation, GuardSoftware restarts your computer and then essentially locks your desktop with a “Scanning In Progress” screen.

rogue3

This screen is meant to fool users into trusting GuardSoftware, and it even goes as far as allowing you to “disable” the scan through an “Options” feature. This faux-disable will unlock your desktop, but it will not stop the scan. Instead, the supposed scan will continue to run in the background, with constant pop-up reminders that your computer is infected, all aimed at persuading you to purchase the full version of GuardSoftware, by entering your credit card information into a screen like this: rogue4

GuardSoftware is one of the first rogue programs to utilize such screen locking, which in the past has typically only been observed in ransomware. In the past, Protector Rogues would instead just scare users with frightening messages, such as YOUR COMPUTER IS INFECTED or PROTECTOR FOUND 136 VIRUSES ON YOUR COMPUTER!!! It would seem that whoever developed GuardSoftware has realized that most computer users are no longer so gullible, and that a more forceful approach is necessary.

This rogue family uses a variety of names, some examples are Windows Expert Console, Windows Cleaning Toolkit and Windows Active Hotspot. Below are some sha1 hashes listed for these variants:

FAAB416D4423F08337707D6FC15FA4ACA143D9BE
2966D9B0B7B27C1CA2FA46F93E26E82FBB7FE64C
CB8B40EACC05C5D34396D70C9B9C1D931A780517

Fortunately, anyone running the full version of Emsisoft Anti-Malware is protected from the GuardSoftware rogue. Emsisoft Anti-Malware features a Behavior Blocker which is designed to recognize rogue behavior where the human eye and other antimalware programs that rely on heuristic detection cannot. Emsisoft users who come across GuardSoftware can expect a prompt warning from a screen like this:

rogue5

Our recommendation is to block the program immediately and to identify exactly where GuardSoftware was encountered so that the point of contact can be avoided and that you can warn your friends. In the meantime, we here at Emsisoft will continue to monitor GuardSoftware as it inevitably evolves and develops. If it is anything like its predecessor, it will be around for some time…but it will also eventually be defeated 😉

————————

Thanks to the Emsisoft team for letting us share that article with you! Don’t forget you can save $10 on the purchase of Emsisoft Anti-Malware  – visit this page for details. 

One thought on “Protector Rogue Re-emerges

  1. Anne

    i am very thankful i purchased the full version of emisoft, and i truly appreciate the discount associated with the purchase!

    Reply

Leave a Reply

Your email address will not be published.