Dailymotion serving fake anti-virus

By on
Dailymotion serving fake anti-virus

Popular video site Dailymotion continues to serve insidious and convincing fake anti-malware despite being notified of the compromise.

Fake anti-virus can be difficult to remove and can lock down advanced booting options, block process monitors and disable or remove legitimate anti-virus present on the infected machine.

Since surfacing in 2008, the malware has become a serious threat with Google discovering some 11,000 domains hosting the applications in 2010.

A high degree of social engineering is used to con users into buying a full version of the seemingly free application.

The malware typically bombards victims with fake virus alerts for nasty trojans apparently found on their computer. At least one fake anti-virus variant used the victims' webcam to take photos which it claimed to have intercepted from a trojan infection on the users' computer.

The most dangerous fake anti-virus installations were those delivered by drive-by-downloads, a method which uses vulnerabilities in a users' software to foist the malware onto computers.

The example recorded by security researchers at Invincea show how a fake anti-virus application was delivered by a drive-by-download from Dailymotion. It uses the Microsoft Security Essentials brand to convince uses to install the malware.

"The threat compels the target to download a malicious .exe (executable) as a ruse to 'clean' their 'infected' machine," researcher Eddie Mitchell said.

"Noteworthy is the fact that the web property (Dailymotion) is ranked around 90th in the world with more than 17 million monthly viewers and that this payload is served through third party ad network similar to what was witnessed a few days ago with Yahoo!."

The malware offered subscription payments between $49.95 and $100 paid via a credit card which would undoubtedly be used in further fraud.

It was similar to the booming threat of ransomware which uses more stick and less carrot than fake anti-virus by encrypting hard drives and demanding victims pay a false fine or fee to receive the decryption key that would unlock their computers.

Those threats vary in sophistication with the more prevalent applications demanding payments typically less than $100. That transaction and infection is automated and may not result in a decryption key after payment, while the malware is often poorly written and could be circumvented and removed.

The other ransomware variants targeted organisations and were delivered by hacking into unsecured or poorly secured architectures. Entire hard drives and connected storage units could be encrypted, locking down businesses until a ransom of up to $5000 to $10,0000 was paid.

Many small businesses in Australia have been targeted with some opting to pay and others accepting the loss of productivity and deploying outdated backups.

The perpetrators of those attacks typically supplied the decryption key after payment and maintained contact with victims to ensure the viability of their business models. The ransom fee typically increased by $1000 for each day payment was delayed.

Users and organisations can help avoid these attacks by patching all software on their computer; using strong passwords for services such as remote desktop; backing up regularly to air-gapped storage; avoiding demands to enter card details into applications or websites, and where possible not downloading unsigned applications.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © CRN Australia. All rights reserved.

Most Read Articles

Log In

  |  Forgot your password?