Daily cyber threats and internet security news: network security, online safety and latest security alerts
March 22nd, 2010

New Scareware Blocks Access To Popular Websites, Demands Fake “Internet Security 2010″ To Be Installed

Security researchers from antivirus vendor Trend Micro warn that a new FAKEAV version operates a ransomware-like component as a Layered Service Provider (LSP) routine. The malicious .DLL blocks access to websites such as Facebook, YouTube, MySpace, The Pirate Bay and others.

The Layered Service Provider is a Winsock feature that has long been abused by malware because it allows altering Internet traffic. The scareware analyzed by Trend installs a .DLL file in the LSP chain, with the purpose of intercepting calls to, or, from Internet Explorer, Firefox and other applications (through svchost).

Trying to access any of these domains from an infected computer will result in a page with red background reading: “Restricted Site! This web site is restricted based on your security preferences. Your system is infected. Please activate your antivirus software.”

“It will only allow the users access if the registry key, HKEY_CURRENT_USERSoftwareIS2010, exists in their systems. However, the said key will only exist if the FAKEAV application Internet Security 2010 (aka TROJ_FAKEAL.SMDO, TROJ_FAKEAL.SMDP, or TROJ_FAKEINIT.BC), is present on the affected system,” the Trend Micro researchers explain.

FAKEAV is a generic name used by the antivirus company to detect scareware or rogueware applications. These programs masquerade as antivirus products and attempt to scare users into paying for unnecessary license fees by displaying alerts about fake malware infections.

The distribution of scareware used to be a very profitable model for generating illegal income. However, with a constantly shrinking market due to successful public education against these scams, scammers found themselves forced to come up with ways to get an edge over their competition.

This fighting amongst competing cybercriminal gangs has lead to the appearance of more aggressive approaches, like disabling critical system functionality until the user agrees to pay up. Programs that display such behavior are referred to as ransomware and blocking access to popular websites certainly falls into this category.

Credit: Softpedia,com News

Share this item with others:

More on CyberInsecure:
  • TweetMeme Hit By Malvertisement, Users Redirected To Fake Antivirus Pages
  • Scareware Makes Files And Folders Invisible, Demands Ransom For Repair Utility
  • Scareware Affiliates Manipulate Search Engines Resuts By Using Black-hat SEO Techniques
  • VirusTotal Brand Abused To Push Scareware Through Forum Spam
  • Scareware Malvertizements Approved By Google And Microsoft Ad Systems, Served On,

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: New Scareware Blocks Access To Popular Websites, Demands Fake “Internet Security 2010″ To Be Installed

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.