New Scareware Blocks Access To Popular Websites, Demands Fake “Internet Security 2010″ To Be Installed
Security researchers from antivirus vendor Trend Micro warn that a new FAKEAV version operates a ransomware-like component as a Layered Service Provider (LSP) routine. The malicious .DLL blocks access to websites such as Facebook, YouTube, MySpace, The Pirate Bay and others.
The Layered Service Provider is a Winsock feature that has long been abused by malware because it allows altering Internet traffic. The scareware analyzed by Trend installs a .DLL file in the LSP chain, with the purpose of intercepting calls to facebook.com, youtube.com or myspace.com, from Internet Explorer, Firefox and other applications (through svchost).
Trying to access any of these domains from an infected computer will result in a page with red background reading: “Restricted Site! This web site is restricted based on your security preferences. Your system is infected. Please activate your antivirus software.”
“It will only allow the users access if the registry key, HKEY_CURRENT_USERSoftwareIS2010, exists in their systems. However, the said key will only exist if the FAKEAV application Internet Security 2010 (aka TROJ_FAKEAL.SMDO, TROJ_FAKEAL.SMDP, or TROJ_FAKEINIT.BC), is present on the affected system,” the Trend Micro researchers explain.
FAKEAV is a generic name used by the antivirus company to detect scareware or rogueware applications. These programs masquerade as antivirus products and attempt to scare users into paying for unnecessary license fees by displaying alerts about fake malware infections.
The distribution of scareware used to be a very profitable model for generating illegal income. However, with a constantly shrinking market due to successful public education against these scams, scammers found themselves forced to come up with ways to get an edge over their competition.
This fighting amongst competing cybercriminal gangs has lead to the appearance of more aggressive approaches, like disabling critical system functionality until the user agrees to pay up. Programs that display such behavior are referred to as ransomware and blocking access to popular websites certainly falls into this category.
Credit: Softpedia,com News
More on CyberInsecure:
Leave a Reply
Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.