Rogue anti-virus authors are now using browser-based strategies in a fresh attempt to improve their success rates and infect users, according to Microsoft.
Daniel Chipiristeanu, a researcher at the Microsoft Malware Protection Center, explained in a blog post that in the past the rogue AV would use the hosts file to block access to the victim’s legitimate security software, so that it was not able to protect against the malware.
However, a new variant, Rogue:Win32/Defru, will now completely block access to the internet, he said.
“When the user is browsing the internet, the rogue will use the hosts file to redirect links to a rather infamous specific fake website (pcdefender.<removed> IP 82.146.<removed>.21) that is often used in social engineering by fake antivirus malware,” Chipiristeanu continued.
Although the user will see the name of the site they’re trying to access in the address bar, they will apparently not be able to navigate away from this fake AV page.
Defru itself appears to be mainly aimed at Russian speakers, with the site flashing up a message designed to imitate a Windows Security warning, and promising a “system clean, access to webpages, daily updates, and access to ‘Windows Security’ and ‘Windows Defender’.”
“An unsuspecting user, after receiving this warning more than a few times when browsing, might be inclined to click ‘Pay Now’,” said Chipiristeanu.
“This will lead them to a payment portal called ‘Payeer’ (payeer.com) that will display payment information (see Figure 3). It's linked to galafinance.com – a website that displayed a ‘Temporary busy’ text when accessed and now is offline. But of course, even if the user pays, the system will not be cleaned.”
It currently targets over 300 websites, redirecting the browser for anyone who visits them to the fake AV page, according to Microsoft.
The reason rogue AV authors are now using these tactics is because they’ve been going through something of a lean spell over the past year.
This is largely thanks to “greater education about the social engineering technique the rogues use, and the large number of legitimate, free antivirus products available on the market,” Chipiristeanu claimed.