By Andrew Brandt
Last year, we at Webroot (as well as many other people) saw a huge spike in two specific types of malware: Rogue antispyware products — the ineffective, deceptive kind — and the various tricks the companies that sell rogues use to trick you into downloading (and eventually buying) their bogus products, something we refer to, generally, as Fakealerts.
Here’s usually how the trick works: First, you’re fooled into browsing to a Web site which employs any of a number of tricks to install the Fakealert code onto your PC. The Fakealert then begins popping up messages warning you about some sort of infection in the System Tray, or in dialog boxes, and/or by opening browser windows to pages that look uncannily similar to control panels or dialog boxes used by Windows XP and/or Vista. Later, after you’ve been provided a smoke-and-mirrors “free scan” of your system (which, of course, reports all kinds of salacious and undesirable “detections”), you’re directed to a page where, for just $59 you can be rid of your spyware problems forever.
The tricks these guys employ get more creative with every new iteration. We’ve seen them drop hundreds of junk files on a hard drive, which are then “detected” as infections; install screensavers that look just like your computer is going through Blue Screen of Death convulsions; and run every dirty trick and cheap gimmick to get a sale.
So it came as no surprise when we encountered yet another Fakealert — we decided to call it Adware-Loserbar — that leads, eventually, to a rogue product. What set this one apart was its sheer gall — and a few new tricks we hadn’t seen before.
For example, when it’s installed, the spy interacts with Windows Explorer so that, when you open certain folders, it pops up a dialog box that says you’ve just finished downloading something, shall we say, unsavory. The kind of thing you wouldn’t want your family, boss, or parole officer to see over your shoulder.
If you decide to open your browser, you’re automatically taken to a fake Google search results page. Apparently, you searched for “IE Security ZlobTrojan32” on fake Google even though you didn’t even know you wanted to, and, judging by the response, fake Google thinks you both (a) have an infection and (b) enjoy watching fake porn on fake YouTube as well. This happens each time you launch the browser, by the way. Hooray.
The spy also drops six new icons on your desktop, which are IE shortcuts to Web sites. The shortcuts are named Cheap Pharmacy Online, Cheap Software, MP3 Download, Search Online, SMS TRAP, and VIP Casino.
I wouldn’t recommend any of the sites they take you to, nor would I recommend that you open any of them: The “Search Online” shortcut takes you directly to porn search results; The MP3 Download link takes you to a site where you can buy entire albums for under 1 Euro.
I wonder if some other company, which also has an online MP3 store, would like to know if a slightly sketchy company is using this logo on their homepage
No wonder Morrissey looks so sad.
Another site sells a keylogger that you foist onto someone else’s cellphone your own cellphone, so you can spy on keep a record of someone else’s your text messages. The first question on the site’s FAQ, “is it legal?” gets the response “Sure…it is ‘your’ cell phone that you will install our software into, isn’t it?” followed by a winking smiley. Seriously, business leaders, take note: Winking smileys always inspire confidence.
Evenually it gets around to displaying the “classic” Fakealert dialog box, which tells you that the PC is infected, and leads you to the rogue antispyware product’s website. I love the fact that it tells you to click “OK” but the only options are “Yes” and “No” — that’s some quality programming.
I think it goes without saying that we can dispatch this junk with extreme prejudice.