The scam, discovered by GFI, works by playing on game players’ often relaxed attitude toward the internet, and the ready desire of many players to seek cheat codes (by their nature not easy or obvious to find) in order to enhance their gaming experience.
The YouTube account points users to MediaFire, one of the internet’s leading file hosting services. From here users can download a compressed file that guides the user through to the eventual covert installation of the ZeroAccess rootkit. A compressed file is provided containing an HTML file, a text file and the key generator application. The text file contains a shortened (and therefore disguised) URL that must be visited in order to obtain the necessary password.
Here, a short survey is displayed. “To obtain the password we need you to take just a moment to complete these steps.” It appears like a valid marketing offer: accept free coupons or a free sample and you can have what you want. Once the user has done this, a 'Show Password' button purports to deliver the key.
What it really does is install the ZeroAccess rootkit that overwrites critical OS files. According to GFI, most AV products currently detect ZeroAccess, but a Prevx analysis considers it capable of evolving into something more dangerous. Prevx says that the disk filtering engine implemented by ZeroAccess is not as advanced as other rootkits, making it relatively easy to detect and remove. “Sadly”, it adds, “this is a minor problem that could be easily improved by the ZeroAccess authors.”
Gaming enthusiasts who don’t have AV installed are already at risk.