Security news and informationTrust Cleaner, the rogue anti-spyware app that tricks you into thinking it’s Google.
A new rogue anti-spyware application has been released called Trust Cleaner. At first glance, this rogue anti-spyware application works the same way as the other ones that have been released lately like SpyFalcon and SpywareQuake as it uses trojans to display fake warnings that act as a goad to make you purchase the full commercial version of its software. This particular variant, though, adds some additional “features” to its installation that we will describe below. For those who are here because they are infected, and do not wish to read this entire article, you can visit our Trust Cleaner Removal Guide instead.
When the programs are installed on your computer, they are downloaded from the domain trustincash.com and trustcleaner.com. Both domains appear to use the domain registrar GoDaddy, but unfortunately, both domains are set as private so we can not determine any further information from the domain names about the people behind this malware. Both hostnames for the download sites, though, resolve to the same IP address so we know that they are running on the same web server and thus are most likely the same company. It is not surprising that we found that these IP addresses belong to the ISP Intercage who are notorious for hosting other malware and Spyware sites. We have purposely left out the specific urls that the infection uses to download its software from in order to protect our readers. If you are a security professional or security developer, please contact us to get this information.
After the malware is installed the rogue anti-spyware program Trust Cleaner is set to to start automatically when your computer starts. It then scans your computer for supposed Spyware and malware and displays a list of the items found. It is quite funny, though, as it finds its own components and labels them as Spyware as shown in the image below.
Trust Cleaner Program
Fake Taskbar Alerts
This infection will also issue fake warnings on your desktop through the program C:\Program Files\TrustIn Popups\TrustInPopups.exe. This program will cause fake security warnings in the form of a Window directly on your desktop. An example of its fake desktop warning is found below. Another interesting feature of this program is it will cancel all Windows restart requests, effectively making it so you can’t restart your computer unless you kill the process first.
Fake Desktop Warning Window
Furthermore, it will install a toolbar and other ActiveX controls in Internet Explorer that will present popups with “contextual” ads about various subjects you are searching for on other pages such as CNN, Yahoo, or Google among others. So if you go to the real Google site and search for something, this software will open a new Internet Explorer windows with its own ads that are specific to this search term. Although this malware alters the results of Yahoo and Google, it instead blocks all access to any web page in the MSN domain.
Finally and equally deceptive, it will change your Internet Explorer homepage to a html page that is loaded from a file on your local computer called C:\Windows\local.html. This page will generate a home page that looks strikingly like Google. In fact, it states at the bottom of the page that it is powered by Google. In reality, though, this page that actually uses results from the site www.mswindowssearch.com and not from Google. Below is an image of the fake home page and a real version of the Google home page so you can see the differences.
Fake Google home page
Real Google home page
Notice the copyright is significantly different from the one the Real Google homepage uses and there are different links on the main page? Let’s take a look at a search in the fake Google homepage using the search term job.
Fake Google search for the term Job
At first glance, the page looks a lot like a Google search result page. When you examine it close, though, you will notice quite a few differences. The main differences are that it does not allow you to go other pages in the results, has its own way of showing sponsored sites on the right side of the page, and displays very different results. Lets take a look at the same search using Google.
Real Google search for the term Job
As you can see the format of the search results are almost identical, the page colors are the same, but the page layout is different. It is possible that this fake search engine is using the Google API to retrieve some of its results, as some of the results are legitimate and contain listing that you would think would not advertise with a Spyware company, but for the most part the results are typical for these types of hijackers.
As you can see this is a new breed of Rogue anti-spyware application. This variant is not satisfied with just try to scare you into purchasing a piece of software, now they are changing settings in Internet Explorer, displaying popups, and trying to cash in on the search engine advertisement market.
