Monday, January 26, 2009 Spreading Ransomware

A once popular site for Pre-Election Barack Obama supporters,, is being used by hackers to spread malicious ransomware. A trojan downloaded from the site installs a pieces of software which poses as fake security program creating phony warnings that a users computer is infected with spyware. The persistent pop-ups will continue to plague users until the victim pays for the worthless program usually priced between $40 and $50.

According to, the criminals have set up bogus accounts on the site and used them to create blogs. When a user reaches one of the fake blogs, a YouTube-like video window is displayed; clicking on that video frame takes the user to a malicious Web site packed with pornography.

If the user clicks to view the porn, a message pops up claiming a video codec must be downloaded and installed. The executable file is not a real codec, but rather a Trojan horse that hijacks the PC and installs the ransomware.

Websense first uncovered the phony blogs a week ago, it has had no luck reaching someone responsible for the site. "We've been constantly trying to reach them, and tried every possible angle, from e-mail to the site itself to the phone, but we haven't heard back," said Dan Hubbard vice president of security research at Websense. "Obviously, they've been fairly busy."

Visitors to the site that have already been infected should download and run actual spyware removers. There are several free alternatives such as Ad-Aware, Spy-Bot Search & Destroy or Avira. In past dealings with these tricky pieces of malware I've had success removing them using the Smitfraudfix as well as Malwarebytes Anti-Malware

No comments:

Post a Comment

All comments will be moderate for content, please be patient as your comment will appear as soon as it has been reviewed.

Thank you