Patch Tuesday update blocks dangerous Trojan

The update to the Microsoft Malicious Software Removal Tool (MSRT) includes the removal of FakeSysdef, a pesky Trojan that poses as a system performance tool.

Microsoft has bolstered its Malicious Software Removal Tool this month to include a signature that detects and removes FakeSysdef, a Trojan that has been successfully tricking people by posing as a system performance tool. According to engineers at Microsoft’s Malware Protection Center blog, the Trojan masqueraded as a program called System Defragmenter last December. It’s also surfaced under different names including Scan Disk and Check Disk.

Victim’s run across the program in poisoned search engine results. As Microsoft explains, the malware spread fairly easily thanks to the multitude of exploit toolkits that have the search engine poisoning built in as a feature.

Creators of the Trojan and rogue security software are notorious for using exploit kits and “search result poisoning”, or Black SEO, to launch installers of their malware. For example, malware creators could use an image search poisoning scheme to deliver poisoned search results to users that search for a photo of a popular or public person. When opening a (malicious) returned search results page, the user could become infected by way of a drive-by download that executes

The bad news for victims is that the Trojan can be really pesky. If the message to purchase performance improvements is ignored, the malware “reboots the machine repeatedly until they activate the fake fix.”

FakeSysdef is very much like rogue antivirus programs, which latch onto potential victims by poisoning search engine results. We’ve been keeping track of the highs and lows of rogue antivirus. Brian Krebs of KrebsonSecurity reported last month that international law enforcement was making some headway against Russian cybercriminal gangs peddling rogue antivirus.

There’s no doubt that the game of wack-a-mole will continue in this area.