“Window” Blockers, or Whose Distribution of Win32 / LockScreen Trojans is Beneficial
Recently, the so-called epidemic of blocking programs has caused quite a strong response in the media. By blocking programs is meant malware, which, after its activation / launch, in one way or another, blocks the user's work on his computer. At the same time, for providing the service of returning the previous PC operability, attackers extort money. In this whole story with blockers, it is interesting that this problem is of a local nature for Russia and neighboring countries. In other countries, such fraud is practically not common, but rather an exception to the rule. Why then has it become so widespread in our country? The answer is much simpler than it may seem, and is on the surface.
The fact is that in our country, the popularity of SMS payments to short numbers is very high. And the legal regulation for providers providing short numbers for rent is clearly lagging behind. And that is why cybercriminals benefit from creating and distributing this kind of malware. And with the help of blockers, they can quite quickly improve their financial situation with money obtained through extortion and blackmail. In addition, many users choose the easiest way to resist this infection, that is, to pay. But often after the payment for the unlock service, you do not receive it, since the fraudsters have already achieved the desired effect and received the cherished ruble from you. And tomorrow they will begin to distribute another program, and, most likely, you will no longer fall for this bait. But there are still a large number of users who have not attacked these malicious "rakes". The expanses of our country are very large.
The lifetime of a single instance of the Win32 / LockScreen Trojan is small and, at best, is several days. The fact is that these Trojans are rapidly falling into anti-virus databases and stop bringing “dirty” profits to their creators. After that, modified instances appear that are modified in such a way as to confuse most antivirus programs. If you look at the code of many blocking programs, then in their structure they are very similar to completely legal applications, which adds trouble to their non-signature detection and enhances the effect of their distribution.
')
But the very distribution of blocking programs is a separate, equally exciting topic. These malicious programs do not know how to spread by themselves, without any help. Probably for many users it will not be a discovery that there are whole “affiliate programs” for the provision of malware distribution services, including Win32 / LockScreen Trojans.
Especially the massive effect of the well-coordinated work of the cybercriminal community is noticeable during heightened social activity in the network. For example, on New Year's holidays or in moments of an increased number of search queries with the following content “download Avatar film for free”. The distribution script is usually very simple: under various pretexts, you are asked to download and run an executable file, sometimes disguised as something else. This explains the fact that in December / January we noticed a significantly increased intensity of the spread of Win32 / LockScreen Trojans.
Finally, we will look at the situation from the other side. It may be too cynical to be the statement that such a massive distribution of fraudulent programs, perhaps, will force newbies - Internet users to quickly understand that you should not stick at all the banners in a row. Having probably lost 300 rubles, the user next time will not jeopardize his Internet bank account with a much larger amount. The second positive point in this Runet epidemic may be the grinding of the legal framework for “partners” in distributing LockScreens and telephone aggregators that provide short numbers for rent. After all, until 2009, they very successfully developed their business at the expense of clients making mass mailings of SMS with texts like: “Mom, my cell phone was stolen from me, urgently give me 500 p. to number +7 (9xx) xxx-xx-xx . ” Now it's time to pay for new Internet users who have not yet had time to figure out what is safe in the wilds of the Internet and what can be harmful.
ZY: ESET company wants to again urge all users not to fall for the tricks of intruders and be vigilant. If you still could not avoid the blocker, and you were infected with such a Trojan program - NEVER pay for the services of intruders. With high probability, you will not get the desired solution to this problem. If, all of a sudden, the trash trojan overcame your PC, you can use our free unlock service.
The fact is that in our country, the popularity of SMS payments to short numbers is very high. And the legal regulation for providers providing short numbers for rent is clearly lagging behind. And that is why cybercriminals benefit from creating and distributing this kind of malware. And with the help of blockers, they can quite quickly improve their financial situation with money obtained through extortion and blackmail. In addition, many users choose the easiest way to resist this infection, that is, to pay. But often after the payment for the unlock service, you do not receive it, since the fraudsters have already achieved the desired effect and received the cherished ruble from you. And tomorrow they will begin to distribute another program, and, most likely, you will no longer fall for this bait. But there are still a large number of users who have not attacked these malicious "rakes". The expanses of our country are very large.
The lifetime of a single instance of the Win32 / LockScreen Trojan is small and, at best, is several days. The fact is that these Trojans are rapidly falling into anti-virus databases and stop bringing “dirty” profits to their creators. After that, modified instances appear that are modified in such a way as to confuse most antivirus programs. If you look at the code of many blocking programs, then in their structure they are very similar to completely legal applications, which adds trouble to their non-signature detection and enhances the effect of their distribution.
')
But the very distribution of blocking programs is a separate, equally exciting topic. These malicious programs do not know how to spread by themselves, without any help. Probably for many users it will not be a discovery that there are whole “affiliate programs” for the provision of malware distribution services, including Win32 / LockScreen Trojans.
Especially the massive effect of the well-coordinated work of the cybercriminal community is noticeable during heightened social activity in the network. For example, on New Year's holidays or in moments of an increased number of search queries with the following content “download Avatar film for free”. The distribution script is usually very simple: under various pretexts, you are asked to download and run an executable file, sometimes disguised as something else. This explains the fact that in December / January we noticed a significantly increased intensity of the spread of Win32 / LockScreen Trojans.
Finally, we will look at the situation from the other side. It may be too cynical to be the statement that such a massive distribution of fraudulent programs, perhaps, will force newbies - Internet users to quickly understand that you should not stick at all the banners in a row. Having probably lost 300 rubles, the user next time will not jeopardize his Internet bank account with a much larger amount. The second positive point in this Runet epidemic may be the grinding of the legal framework for “partners” in distributing LockScreens and telephone aggregators that provide short numbers for rent. After all, until 2009, they very successfully developed their business at the expense of clients making mass mailings of SMS with texts like: “Mom, my cell phone was stolen from me, urgently give me 500 p. to number +7 (9xx) xxx-xx-xx . ” Now it's time to pay for new Internet users who have not yet had time to figure out what is safe in the wilds of the Internet and what can be harmful.
ZY: ESET company wants to again urge all users not to fall for the tricks of intruders and be vigilant. If you still could not avoid the blocker, and you were infected with such a Trojan program - NEVER pay for the services of intruders. With high probability, you will not get the desired solution to this problem. If, all of a sudden, the trash trojan overcame your PC, you can use our free unlock service.
Source: https://habr.com/ru/post/82218/
All Articles