1

browser-security.microsoft.com Hosts File Modification

The ThreatFire community is preventing an unusual hosts file modification in higher prevalence than usual that seems to be related to “Spyware Protect 2009″. On unprotected systems, the end result can be that your browser appears to be visiting “browser-security.microsoft.com” when it’s really not the legitimate microsoft.com site, alerting you to a familiar browser warning “visiting this site may harm your computer!”. You can see the spoofed microsoft.com url circled in red in the image:

So far, getting the user to run an executable (or exploiting a system running vulnerable third party pdf reader plugins) that modifies the hosts file with “browser-security.microsoft.com” to redirect to 195.245.119.131 and launch a browser to a page on that domain seems to be a fairly prevalent tactic. The links on the page direct the user to pay for another piece of rogueware called “Spyware Protect 2009″. In no way is this site associated with the real microsoft.com web presence.
Other domains shared by the group right now are sys-protection.com, sysguard2009.com, os-protection.com, swp2009.com, spy-protect-2009.com, spywprotect.com and some adult entertainment links. Avoid these domains and rogueware.

Update: The “Malware Analysis and Diagnostic” blog posted some additional information on the rogueware. Looks like an interesting blog, and for english readers, Google translate is your friend.

Update: More of the same technique found here.

Update: Michael Hale Ligh posted details of his investigation into a related incident here. In an update, he comments that the user’s system had an outdated version of Adobe Acrobat Reader, which was most likely the targeted vulnerable application. It’s excellent work and a great read for those interested in technical details.

This entry was posted in The Law. Bookmark the permalink.

4 Responses to browser-security.microsoft.com Hosts File Modification

  1. spoon says:

    thnanks for that, so how do I get rid of it? Pls advise. I tried to block this particular webiste in ‘internet options’ but it keeps popping up constantly. I think I’ll need to uninstall Explorer and keep using Mozzila but I had loads of Fafourite sites in there :(

  2. ThreatFire Blogger says:

    Hey Spoon-

    Sorry to hear about the infection. Malware is running on your system that you need to clean up. I would suggest trying to get removal help in our support forums under “Virus, Worms and Trojans” here:
    http://www.pctools.com/forum/index.php

    And there are other resources you can find on the net, like instructions here
    http://www.spyware-techie.com/spyware-protection-2009-removal-guide/

    Google is your friend, try googling ‘”Spyware Protection 2009″ removal’. You’ll find manual instructions, removal tools, etc

  3. Bobby says:

    As it has been mentioned, instances of browser diverts to Browser-security.microsoft.com testify to the one and only thing – your system has been attacked by the unregistered version of the aggressive rogue anti-spyware called Spyware Protect 2009. Therefore, getting rid of the symptoms (i.e. browser redirections) requires exterminating the cause – you need to remove Spyware Protect 2009 trialware and the affiliated trojans. A reliable and effective method for this is the use of automatic removal tool on http://windowsprotection.net/how-to-remove-spyware-protect-2009-spywareprotect-2009-removal-tool/. It should work! Good luck fixing your system!

  4. Rick says:

    Don’t forget to check your HOSTS file. I found that the HOSTS file on our infected system had been wiped out and replaced with entries pointing to the infectious URL’.s Restoring the HOSTS files to the original state helps clear the problem.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>