January 27, 2010 at 18:10“Window” blockers, or who benefits from the spread of Win32 / LockScreen Trojans
Recently, a rather strong resonance in the media has caused the so-called epidemic of blocking programs. By blocking programs we mean malware that, after being activated / launched, blocks the user’s work on his computer in one way or another. At the same time, attackers extort money for providing the service of returning the previous PC performance. In this whole story with blockers, it is interesting that this problem is local in nature for Russia and neighboring countries. In other countries, such fraud is practically not widespread, but rather is the exception to the rule. Why did this become so widespread in our country? The answer is much simpler than it might seem, and is on the surface.
The fact is that in our country, the popularity of SMS payments to short numbers is very high. And the legal regulation for providers that provide short numbers for rent is clearly lagging. And that is why it is beneficial for cybercriminals to create and distribute this kind of malware. And with the help of blockers, they can quickly fix their financial situation with money obtained through extortion and blackmail. In addition, many users choose the easiest way to resist this infection, that is, pay. But often, after paying for the unlock service, you don’t get it, since fraudsters have already achieved the desired effect and received the treasured rubles from you. And tomorrow they will begin to distribute another program, and most likely, you will not fall for this bait. But there are still a large number of users who have not stepped on this malicious "rake". The vastness of our country is very large.
The lifetime of one instance of the Win32 / LockScreen Trojan is small and, at best, lasts several days. The fact is that these Trojans quickly fall into anti-virus databases and cease to bring “dirty” profit to their creators. After that, modified instances appear that are modified in such a way as to confuse most anti-virus programs. If you look at the code of many blocking programs, in their structure they are very similar to completely legal applications, which adds to the hassle of their non-signature detection and enhances the effect of their distribution.
But the spread of blocking programs is a separate, no less exciting topic. These wreckers do not know how to spread by themselves, without any help. Probably, it will not turn out to be a discovery for many users that there are entire “affiliates” in providing malware distribution services, including Win32 / LockScreen Trojans.
A particularly massive effect of the coordinated work of the cybercriminal community is noticeable during increased social activity on the network. For example, on New Year's holidays or when there is an increase in the number of search queries with the following content “download the movie Avatar for free”. The distribution scenario is usually very simple: you are asked under various pretexts to download and run an executable file, sometimes disguised as something else. This explains the fact that in December / January we noticed a significantly increased intensity of distribution of the Win32 / LockScreen Trojans.
Finally, we look at the situation from the other side. It may be too cynical to argue that such a massive proliferation of fraudulent programs might make new Internet users quickly realize that you should not poke all the banners in a row. Probably, having lost 300 rubles, the next time the user will not compromise the account of his Internet bank with a much larger amount. The second positive moment in this Runet epidemic, perhaps, will be the grinding of the legislative framework in relation to “partners” in distributing LockScreens and telephone aggregators that provide short numbers for rent. After all, until 2009, they very successfully developed their business at the expense of customers doing bulk SMS messages with texts like:“Mom, they stole a cell phone from me, immediately put me 500 r. to the number +7 (9xx) xxx-xx-xx . " Now it's time to pay for new Internet users who have not yet had time to figure out what is safe in the wilds of the Internet and what can be harmful.
ZY: ESET wants to again urge all users not to fall for the tricks of intruders and to be vigilant. If you still couldn’t avoid the blocker, and you are infected with such a Trojan, NEVER pay for the services of intruders. With high probability you will not get the desired solution to this problem. If suddenly, a rotten Trojan defeats your PC, you can use our free unlock service.
The fact is that in our country, the popularity of SMS payments to short numbers is very high. And the legal regulation for providers that provide short numbers for rent is clearly lagging. And that is why it is beneficial for cybercriminals to create and distribute this kind of malware. And with the help of blockers, they can quickly fix their financial situation with money obtained through extortion and blackmail. In addition, many users choose the easiest way to resist this infection, that is, pay. But often, after paying for the unlock service, you don’t get it, since fraudsters have already achieved the desired effect and received the treasured rubles from you. And tomorrow they will begin to distribute another program, and most likely, you will not fall for this bait. But there are still a large number of users who have not stepped on this malicious "rake". The vastness of our country is very large.
The lifetime of one instance of the Win32 / LockScreen Trojan is small and, at best, lasts several days. The fact is that these Trojans quickly fall into anti-virus databases and cease to bring “dirty” profit to their creators. After that, modified instances appear that are modified in such a way as to confuse most anti-virus programs. If you look at the code of many blocking programs, in their structure they are very similar to completely legal applications, which adds to the hassle of their non-signature detection and enhances the effect of their distribution.
But the spread of blocking programs is a separate, no less exciting topic. These wreckers do not know how to spread by themselves, without any help. Probably, it will not turn out to be a discovery for many users that there are entire “affiliates” in providing malware distribution services, including Win32 / LockScreen Trojans.
A particularly massive effect of the coordinated work of the cybercriminal community is noticeable during increased social activity on the network. For example, on New Year's holidays or when there is an increase in the number of search queries with the following content “download the movie Avatar for free”. The distribution scenario is usually very simple: you are asked under various pretexts to download and run an executable file, sometimes disguised as something else. This explains the fact that in December / January we noticed a significantly increased intensity of distribution of the Win32 / LockScreen Trojans.
Finally, we look at the situation from the other side. It may be too cynical to argue that such a massive proliferation of fraudulent programs might make new Internet users quickly realize that you should not poke all the banners in a row. Probably, having lost 300 rubles, the next time the user will not compromise the account of his Internet bank with a much larger amount. The second positive moment in this Runet epidemic, perhaps, will be the grinding of the legislative framework in relation to “partners” in distributing LockScreens and telephone aggregators that provide short numbers for rent. After all, until 2009, they very successfully developed their business at the expense of customers doing bulk SMS messages with texts like:“Mom, they stole a cell phone from me, immediately put me 500 r. to the number +7 (9xx) xxx-xx-xx . " Now it's time to pay for new Internet users who have not yet had time to figure out what is safe in the wilds of the Internet and what can be harmful.
ZY: ESET wants to again urge all users not to fall for the tricks of intruders and to be vigilant. If you still couldn’t avoid the blocker, and you are infected with such a Trojan, NEVER pay for the services of intruders. With high probability you will not get the desired solution to this problem. If suddenly, a rotten Trojan defeats your PC, you can use our free unlock service.