Look out — this Windows 11 installer is really malware

1. Home
2. News
3. Security

Look out — this Windows 11 installer is really malware

(Image credit: Microsoft)

Installing Windows 11 isn't that easy for many existing computers, cheers to the software's stringent hardware requirements. That'southward led many Windows 10 users to search for workarounds that dodge such obstacles.

Simply be careful, because one supposed Windows xi installer is really the RedLine stealer, a well-known piece of information-stealing malware that will infect your web browser and swipe your passwords, credit-card numbers, login-session tokens and fifty-fifty cryptocurrency tokens. (RedLine is ane of several reasons y'all should not let your browser salve your passwords.)

The malware was existence distributed from a website at windows-upgraded[.]com, HP malware analyst Patrick Schläpfer reported in an official HP blog post yesterday (Feb. 8). HP noticed the bogus website Jan. 27, the day after Microsoft announced that Windows eleven would be available as a free download for all eligible devices.

"This campaign highlights once once again how attackers are quick to take reward of important, relevant and interesting electric current events to create effective lures," wrote Schläpfer. "Prominent announcements and events are e'er interesting topics for threat actors, which can be exploited to spread malware."

How the simulated Windows 11 installer works

The site looked just like an official Microsoft site, right down to the Os maker's logo, site layout and minimalist design aesthetic. "Get Windows 11" was prominently displayed, and underneath that was a button that said "DOWNLOAD Now."

If you clicked that push button, Schläpfer said, you lot'd reach out to a Discord storage server and download a 1.5MB compressed file called Windows11InstallationAssistant.nil. Unpacked, the file expanded to a whopping 753 MB — a pinch ratio of a phenomenal 99.8%, Schläpfer noted.

(Prototype credit: HP)

Information technology turned out that a lot of the 751MB main file, Windows11InstallationAssistant.exe, was just padding consisting of repeated zeroes, hence the extreme compression ratio. Why would it need so much padding?

"One reason why the attackers might have inserted such a filler area, making the file very large," wrote Schläpfer, "is that files of this size might non be scanned by an antivirus and other scanning controls, thereby increasing the chances the file tin can execute unhindered and install the malware."

If you run Windows11InstallationAssistant.exe, you get a command-line operation that lasts exactly 21 seconds, then downloads what looks like a JPEG file called win11.jpg.

Sounds harmless, right? Not quite — if you read the JPEG's code backwards, you get a dynamic-link library (DLL) file that contains the RedLine data stealer, a payload that lands in your lap when you run the purported "Installation Assistant" on your PC.

(Epitome credit: HP)

RedLine "collects various information well-nigh the electric current execution surroundings, such equally the username, computer proper noun, installed software and hardware data," Schläpfer explained. "The malware also steals stored passwords from web browsers, auto-complete data such as credit card information, as well as cryptocurrency files and wallets."

Fifty-fifty though the windows-upgraded[.]com site is no longer up, it will be easy for the crooks to try over again at a unlike domain, or even to use a dissimilar lure. In fact, Schläpfer noted that the aforementioned baddies seem to accept been behind a very similar campaign back in December that used a fake Discord installer site to distribute RedLine.

How to protect yourself from this malware attack

To protect yourself from RedLine and other forms of malware, cheque the URL (web address) of every site from which you download software, and run each installer file through an antivirus scanner before y'all open information technology. (Most of the all-time Windows antivirus programs recognize RedLine for what it is.)

And employ common sense — a random website that doesn't take "microsoft.com" in the domain proper noun only offers Windows installations anyhow isn't likely to be legit.

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has as well been a dishwasher, fry melt, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than fifteen years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random Television news spots and even moderated a panel discussion at the CEDIA domicile-technology conference. You tin follow his rants on Twitter at @snd_wagenseil.

Source: https://www.tomsguide.com/news/fake-windows-11-installer

Posted by: huffmantharly.blogspot.com

Share this post