Perhaps we can reinstall games we play from our Steam account or recover e-mails from the cloud. But what about our Masters or Doctorate papers, wedding pictures, monthly reports we need to deliver in a couple of days, or our client database? Hard-disks host this information and more. Loss could be disastrous – and prompt us to act hastily.
This “haste” is what crooks counted on when they created the e-threat we just found.
This nasty scareware (detected by Bitdefender as Trojan.HiddenFilesFraud.A) was created to panic people into buying a pretend repair tool for an imaginary hard-disk problem. With Rogue AV nearly extinct courtesy of search engines and AV vendors, useless applications are a tough sell. This is why this little devil steps on all your fears related to data loss. Acting as a disk repair utility, the e-threat alerts the victim that his computer has lots of unsolved issues and personal data is at risk.
In a crafty attempt to induce more confusion and frustration in the victim’s mind, the malware immediately hides all folders and files it finds on the user’s machine. The approach of hiding some folders or files is not new in the cybercrime world, but hiding all folders and then offering a mending tool is an example of astute of social engineering.
A folder that appears empty, accompanied by a popup that announces a HDD error.
No need for advanced rootkits that might fail on newer operating systems: the malware sets the files and folders as hidden by modifying file attributes. As a bonus, some key shortcuts are also disabled, building on the user’s sensation that he is no longer in control of his system. The PC, by the way, is working just fine all this time. But the user has no way of knowing this. A user who doesn’t find his files and folders on the system is going to assume the worst.
Unfortunately, the user is neither able to see them as hidden nor set them as visible from Windows Explorer due to the intervention of Win32.Brontok.AP@mm, the Trojan that downloads the scareware on the compromised system.
As a true representative of its scareware “species”, Trojan.HiddenFilesFraud.A displays multiple error windows informing the user that it could not write something in system32 due to a critical hard-disk error. Confusing is that these messages appear to have come from the OS itself. Just about now, the user is supposed to be scared enough and convinced to reach for his pocket and pay $80 for the repair utility that will do absolutely nothing once purchased. The scam is done, the money is gone.
Interface screenshots of the alleged HDD utility.
This threat is installed on the PC by another malware, a high-risk worm called Win32.Brontok.AP@mm. This e-threat uses removable drives to spread. It copies itself in every folder on the infected stick under the name of that folder. It adds an .exe extension that remains hidden from users. This is an indicator that it needs the user to recognize, trust, click and thus install it on the PC.
Fake popup messages to increase users’ panic
Brontok is the weapon of choice for some aggressive pay-for-install attacks. Its developers have used it for affiliate installations (as a means of installing other undesirable applications) in the past, squeezing revenue for every potential customer of the rogue hard-disk utility.
Once one of the most effective breeds of malware ever since its emergence in 2008 – scareware – has been on a descending slope since early 2011. Some of the most important counter-measures in fighting the invasion of rogue AV and other fake utilities was Google’s decision to delist some second-level domain name providers (such as co.cc and co.cz) from the search index, as well as the improvement of their ranking algorithms to prevent black-hat SEO.
These efforts have been completed with the security industry’s efforts of educating users not to install anything that pops up on the screen if this was not what the users initially looked up in search engines. However, although weakened, the Rogue AV industry has not gone extinct – in order to stay safe, please make sure your antivirus is up to date and activated.
This article is based on the technical information provided courtesy of Doina Cosovan, Bitdefender Virus Analyst.
All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.