Malware Alert: “Defru” Rogue Performs Fake Scan in Browser

Rogue Alert!

defruA new browser-based rogue security scanner Microsoft has named Rogue:Win32/Defru pretends to find malware on your computer, attempts to sell you fake security products, and prevents you from connecting to over 300 common websites – many of which belong to companies that sell legitimate security products. Those familiar with rogue security products will know that such capabilities have been employed by attackers for years; however, Microsoft reports that Defru is notable due to its simplified, browser-based approach.

Defru Play-by-Play

defru-2Defru modifies the infected PC’s hosts file, which is responsible for website navigation. If the user attempts to navigate to one of more than 300 websites Defru has been designed to recognize, they will instead be redirected to an infamous “PC Defender” rogue site: pcdefender[.]co[.]vu.

Users need not download anything from PC Defender to be scammed. Rather, the website simply displays a graphic that looks like a scan within the website’s browser window. The “scan” then pretends to find malware as it runs, and cites a number of fake malware variants. After “finding” these threats, the website offers malware removal, for a fee which can be paid via credit card at

How Can I Tell If I’m Infected?

If you try to navigate to a normal website but are instead redirected to a site like the one pictured above, you may be infected by Defru. Note: your navigation bar will display the website you typed into it, not pcdefender[.]co[.]vu.

Microsoft has prepared a full report on Defru, which includes a list of all the websites it can perform redirects on here. Presently, is not part of that list. This means that if you suspect your computer has been infected, you can navigate to to receive assistance from one of our malware removal experts. Alternatively, advanced users can find removal instructions at the end of this blog post from Microsoft malware researcher Daniel Chipiristeanu.

Have a great (rogue-free) day!


  • Legend

    That kind of Rogues like ” Rogue:Win32/Defru ” is one of the oldest kind of malware, and you could say, it was the predecessor for the more nasty malware group, ” Ransomware “. But the problem with these Rogues is, that it is very easy for the malware creator to update the Rouge, so it appears as a new, and maybe undetected malware for the antivirus engine. Now you can even as a cybercriminal buy an update plan to those kind of Rogues, to protect your investment, so to speak . But a non independent signature based protection, like a well configured behavior blocker will very likely, always stop the Rouge in it’s track.