Welcome to the Computer Security Wiki! You can help us by expanding stubs, create new articles and improve current articles.
You can also help us by logging-in or creating an account!

Segurazo

From Malware Wiki
Jump to: navigation, search
Segurazo
Segurazo.png
Typerogue/PUP
CreatorDigital Communications Inc
Date2019
Originpossibly Brazil(?)
PlatformMicrosoft Windows
File TypeWin32 PE executable (.EXE)
Alias(es)Segurazo.A, PUP.Optional.Segurazo or PUP.Segurazo
MD5c66beeb5f948506ade39a80e3d93f4d3,
SHA-109880d4c19543ebea940ece4630a60af8e136a4e,
SHA-256132e746d4cf3a979c68f557e251dc0f1ab0e9941d037b8f429c2b30bca796470
SSDEEP196608:0KkpRfmrOVGXaALFYZejEiR32WkQ7o2nxEPpS8vO2OMWItEBKDWhNpdk9vC:GmrEGKmSQgUVkQRopJvOLMWIyBKKhNpP
Authentihash0bcd951cba363088930c8c7da5a99caa98f60524925f36344b57a9efb6b7eea6
IMPhash7fa974366048f9c551ef45714595665e
This box: view  talk  edit

Segurazo.APUP.SegurazoPUP.Optional.Segurazo, or Segurazo is a rogue antivirus. It installs malicious software alongside itself.

It is extremely difficult to uninstall, but it can be removed with MalwareBytes. The creator of Segurazo, Digital Communications Inc., claims that "segurazo" is security in Portugese. However, this is false, as segurança means "security" in Portuguese.

Recently, Segurazo seems to be bundled with popular software such as Cheat Engine, PowerISO and Nox, meaning that the user might install it unwillingly; in some cases, the user does not get the choice to opt out of installing Segurazo. In general, users are advised to reject installing any additional software if they feel a program may be malicious.

According to ICAAN, the Seguarzo website was first registered in 2007, and its name and logo were created during that time as well. The domain was parked by BrandBucket, a company which specializes in selling curated business logos and names. During this time, it was claimed that the name was derived from the Spanish word "seguro" meaning "secure, safe". In 2018, the brand and name was priced at $995 USD. However, the website and name went unused until January 2019, when it first went online. Additionally, according to Crunchbase, the company was founded in January 2018, and has 11-50 employees.

It was first documented on a Reddit post in February 2019 by /u/BlackNightOwl in the subreddit /r/AskTechnology. The comments on the thread were quite negative, and it appears a sockpuppet account of the company (/u/David_Security) defended the software, claiming that it it a legitimate anti-virus from Brazil, and that his office had used it for the "past couple of years" (likely false, as the software only first appeared in 2019). Another sockpuppet, /u/theprofessional908, attacked the OP and claimed that the OP was "ignorant" and that "it's a real AV".

The company's official Reddit handle responded, claiming that the software is completely legitimate. However, judging from other responses, this does not appear to be the case.

The claimed address for the company is 1168 Mission Street in San Francisco, which appears to be a shared office that is owned by WeWork. According to the Terms and Conditions of Segurazo, the company operates under Wyoming law.

Payload

The website, while relatively professionally designed, is written in broken English, probably indicating that the creators of the software are not native English speakers. The interface of the program is similarly written in odd English, sometimes making grammatical or typographical errors.

Segurazo installs on the user's computer by bundling itself with other software or programs. Once installed, Segurazo will slow down the user's computer, cause disruptions with browsing and other activities, and try to convince the user to purchase the software. Segurazo acts similarly to other notorious rogue antiviruses such as SpySheriff and NavaShield, though not nearly as destructive since Windows 10 is more secure compared to its predecessors.

Additionally, Segurazo only seems to install as part of another software (or, directly from its website), whereas other rogue AVs would sometimes install themselves onto the computer against the user's will. So far, there are no reports of Segurazo directly installing itself without the user's permission (a common tactic used by rogues in the 2000s and early 2010s).

Regardless, the program has recently become more difficult to remove and more malicious; uninstalling it directly seems to not work, and many of its files cannot be removed directly. In addition, it appears that anti-virus programs can only remove it in safe mode, as it seems to crash other programs. The program might even attempt to turn off Windows Defender and other installed programs.

Interestingly enough, Segurazo has penned some online articles discussing cyber-security threats and even has a Twitter feed, likely to make it look legitimate.

Segurazo is known to disrupt normal computer activity, such as disabling the computer's search bar, interrupting browsing sessions, and encrypting its own files to prevent it from being removed. Prior to September 2019, the software could be removed regularly either via a normal antivirus or via its own uninstall feature. However, it seems to have been updated to make it harder to remove.

Removal

An antivirus can simply remove the program. The user should access Windows in Safe Mode, run an antivirus, and then remove the program from there. The user may need to run the antivirus multiple times (including in normal mode) to remove the entirety of Segurazo; the user might also want to remove some remnants manually.

Media

File:Segurazo.png
A picture of Segurazo AV.

Sources

Reddit, Is Segurazo Client Antivirus Safe? : AskTechnology