New Scareware Exploits Layered Service Provider
Security researchers at Trend Micro (an antivirus vendor) have said that they have discovered a new variant of FAKEAV that performs both the functions of giving fake alert of hijacking the user's computer by scareware and downloading of an additional file called Dynamic Link Library (.DLL).
The .DLL file is embedded into the Layered Service Provider (LSP) chain. After the insertion of .DLL file into LSP chain, it gets loaded when the application uses Windows Socket (Winsock). malware usually exploits LSP technology. In the present case, the main purpose of FAKEAV is to block web browsers from linking to specific websites. These websites include - YouTube, MySpace, Facebook, The Pirate Bay and others.
If any of these websites are tried to be accessed via a corrupt computer, then it shows a web page with red background. The webpage shows message - Restricted Site! - This site has been blocked from accessing as per the security preferences. The system has been infected by malware and an antivirus scanning is essential.
Trend Micro researchers explained that it would permit the user to access the websites if registry keys were present in their systems. However, the registry key would only be present if the FAKEAV program Internet Security 2010 (TROJ_FAKEINIT.BC, TROJ_FAKEAL.SMDO or TROJ_FAKEAL.SMDP) were existed on the affected system, as reported by softpedia on March 22, 2010.
The security researchers further revealed that this malware tried to create more panic among users by making them believe that the websites were restricted or blocked. Users were afraid and tried to install any antivirus product and even got ready to pay for installing a rogue antivirus.
The spreading of scareware on computers is a very profitable technique for cyber criminals to make illegal income. But the scammers are forced to come up with new ways of getting their frauds accomplished because the rising awareness about these scams among people created a competitive environment, said the researchers.
The fighting of harnessing profits among cyber criminal gangs has resulted into the appearance of aggressive approaches such as disabling vital system functionality till the time user get ready to pay for the fake antivirus. Programs that exhibit such kind of behavior are called ransomware and block access to renowned websites falling in the category of abovementioned.
Related article: New Zealand Releases Code To Reduce Spam
» SPAMfighter News - 31-03-2010