Online Ad Campaigns Mimicking as the CryptoLocker
CryptoLocker is a recently discovered Windows malware that encrypts user data and makes it unusable. It demands the user for a certain amount of money (ransom) to decrypt the data. As of December, 2013, the creators of CryptoLocker were able to pull in $30 million in just 100 days. So, in what may be called an attempt to ride this cashcow, is a malware recently discovered by Quick Heal. Here is a quick snippet about it.
How the Malware Works
Quick Heal detects this malware as FraudTool.Legtot.A3. The malware basically pretends to do something similar to what the CryptoLocker does to the data of the targeted user.
When executed, the malware copies itself to Appdata folder with a name ‘svhost .exe’. Its name is displayed as CrytoLocker to the user. The malware kills all running applications in the computer including Explorer. It adds AutoRun entries which enables it to execute automatically whenever the machine is started.
The malware then shows a prompt as shown in the image below:
Does the Malware Encrypt User Files for Real?
In reality, the malware does not encrypt any file in the user machine. By displaying a message as shown above, it takes advantage of the fear that most people have about the Cryptolocker. What the malware does is, it prevents the user from accessing the system by continuously monitoring running applications and killing them.
What Happens if User Responds to the Message?
If the user clicks the ‘Open Survey‘ link in the message box, it opens up a browser with various ad campaigns which go through the following sites:
totally-legit.biz → filesquick.net → glispa.com which serves ads from OLX, Shophunk, BigFlix and even suggest apps such as WeChat.
An example of the ad campaigns targeted by this malware is shown below. This advertisement on shophunk.com allures users to buy mobiles at unbelievably cheap prices by participating in a contest.
These ads indicate that malware authors are taking advantage of Affiliate Interfaces such as glispa.com and social engineering.
Another example of an ad campaign targeted by the malware is one from BigFlix Entertainment which claims to offer unlimited movie streaming for the first month of subscription at just Rs.1. (See image below)
Users are strongly advised not to get allured by such too-good-to-be-true advertisement campaigns and end up paying money to fraudulent online shopping sites. To block fraudulent and phishing websites that steal user information, try Quick Heal Internet Security which offers real-time web protection from online threats.