Security researchers have found a fake Windows 11 upgrade website that promises to offer a free Windows 11 install for PCs that don’t meet the minimum specifications, but actually installs data-stealing malware.
Understandably, this annoyed people with relatively new hardware that couldn’t upgrade to the latest version of Windows, and many looked at ways of circumnavigating the TPM 2.0 requirement to install Windows 11 on their unsupported devices.
While the website’s address (URL) should be a red flag (we won't mention it here), as it’s clearly not a Microsoft website, the actual website itself does look like it’s an official Microsoft website, using logos and artwork that makes it difficult to tell it apart from a real Microsoft page.
However, as security researchers CloudSEK discovered by clicking the ‘Download now’ button, the website downloads an ISO file that contains malware.
This malware, called ‘Inno Stealer’, uses a part of the Windows installer to create temporary files on an infected PC. These create processes that run and place four additional files on your PC, some of which contain scripts that disable various security features, including in the Windows registry. They also tweak the built-in Windows Defender anti-virus, and remove other security products from Emisoft and ESET.
Other files then run commands at the highest system privileges, while yet another file is created in the C:\Users\AppData\Roaming\Windows11InstallationAssistant folder, and it’s this file that contains the data-stealing code, named Windows11InstallationAssistant.scr. This then takes information from web browsers, as well as cryptocurrency wallets, stored passwords and files from the PC itself. This stolen data is then sent to the malicious users who created the malware.
Pretty nasty stuff.
Analysis: Be careful what you wish for
The scale of the infection here, and what it’s able to steal from you, is very scary, but the good news is that it’s easy to avoid.
No matter how desperate you are to install Windows 11, you should only download ISO files from sources you are absolutely certain are legitimate. While the makers of this malware have put in a lot of work to make the website look legitimate (like many so-called ‘phishing’ attacks), there are some tell-tale signs, such as the aforementioned URL, which highlights that this is not a genuine Microsoft website.
If your PC is eligible for a Windows 11 upgrade, you’ll be alerted via Windows Update, a tool that’s built into Windows operating systems. This is the safest way to ensure you are downloading and installing a genuine copy of Windows 11.
If your PC isn’t eligible, due to not meeting the TPM 2.0 requirements, then there are some safer ways to install Windows 11 without TPM anyway. But we don’t really recommend any of them, especially as Microsoft is making it harder to run Windows 11 on unsupported systems, which could mean you miss out on important updates, security fixes and features in the future.
Above all, however, you should never attempt to download and install a Windows 11 ISO file from any website that isn’t run by Microsoft itself.
Following a surge in propaganda coinciding with Russia's invasion of Ukraine, the VPN provider Surfshark recently released a new fake news warning feature for its browser extensions for Chrome and Firefox.
At the time, Surfshark CEO Vytautas Kaziukonis explained why the company decided to release the feature in a press release, saying:
“The 21st century has shown that information might be sharper than the sword. It’s evident that today’s disinformation campaigns aim to distract, confuse, manipulate, and sow division, discord, and uncertainty in the community. Keeping in mind the intensifying propaganda, we decided to release a feature that would allow people to identify fake news websites easily.”
Surfshark's now defunct fake news warning feature would detect specific URLs from a list of untrustworthy websites taken from the site propornot.com reviewed by the the company's security experts. Sites known for spreading fake news were highlighted with a “YYY” symbol in Google and other search engines. While the feature was enabled by default, Surfshark users were able to toggle it off under the “VPN settings” menu in the company's browser extension.
Suspending its fake news feature
Although Surfshark's intentions were good, the company explained in a post on Twitter that “the topic is more nuanced that initially thought” when it announced that it would be temporarily suspending its fake news notification feature only a few days after its launch.
The problem with the feature is that in addition to being overwhelming for some users, it identified far too many sites as being a source of disinformation. Some of the sites that had a “YYY” next to them on Google's search results page included Drudge Report, Ron Paul's website, the alternative video platform BitChute and even WikiLeaks.
While consumers rely on VPN services to protect their privacy online and to get around geo-blocking, many of the users that responded to a separate post on Twitter by BitChute took issue with Surfshark limiting freedom of expression online. At the same time, BitChute pointed out that several major news stories in the last year were considered 'misinformation' before being revealed to be true.
Despite the fact that Surfshark has said that it would temporarily suspend the feature, its original blog post announcing its fake news notifications has been removed from its site. We'll have to wait and see as to whether or not the company decides to bring it back though based on the criticism the feature faced online, it likely won't be returning anytime soon.