I don't think that this issue is getting the attention it deserves. I'd really like to get some more experts to look into it.
I recently got this popup, and created this account specifically to post about it, because it's so concerning.
The Skype ad indeed opened a browser page on my computer, with no interaction from me at all. Skype was simply on, and windowsdefender link opened up.
I've done some research and come across quite a bit of stuff related to this. I'll post what I've discovered so far.
First off, it appears to be from an ad. Secondly, here's what I found about the URL.
Apparently, it has links to the Netherlands as well as France.
Here's a virustotal link for the URL, but I don't know if the payload(if there is one) has been analyzed and if it's detectable.
Here's some posts on the Skype forum with people reporting it:
Are there any experts out there, with a virtual machine, who can get this mysterious thing to open through Skype, and see if it has a payload, or if it's really just a social engineering attempt that can be solved by ending iexplore.exe in the browser?
I'm afraid it's something designed to look like social engineering, but actually has a worse payload, since absolutely NO ONE has reported "being infected" by the fake windows defender, but everyone seems to get the popup.
I'm currently running Malwarebytes Pro with Microsoft Security Essentials, all security fixes, browser Java disabled, and Malwarebytes Anti-exploit. Despite all these precautions, I still managed to get a page opened up(not sure what kind of code needed to execute to do that without clicking).
I also ran a Malwarebytes anti-rootkit scan, and everything came back clean. I even used Adwcleaner by Xplode and got 0 results in there.
I installed EMET 4.1 and noticed something strange, however. When I enabled EMET's maximum security, I had to reboot. I quickly open task manager on booting, to see what's using HDD and networking, and I noticed two dllhost processes, which disappeared after a few seconds.
In EMET, there are also 3 dllhost's listed, but the bottom two can not be configured, giving me a "not a valid executable" error. Then those disappear from the list of EMET without having to hit refresh. Can someone who knows software really well tell me what to make of this?
I should also mention that users of Malwarebytes and other anti-malware and antivirus programs seem to be getting no infections detected, and are posting about this on their forums, not just the Skype forum. I'm not sure if the fact that they're not getting any detections is a good thing, or a really bad thing.
Edited by blackdove, 03 February 2014 - 04:26 AM.