Everybody should by now be aware how most scareware (aka rogueware aka fake antivirus) operates:
you receive a warning message your PC is infected with malware, and a scan needs to run immediately to help you remedy the infections.
The latest scareware is System Care Antivirus:
 |
| System Care Antivirus. (Source: BleepingComputer) |
In the past, it was just that. Scareware pushes scareware. Scareware installs scareware. Not programs that can be considered as adware or Potentially Unwanted Program (PUP/PUA).
Thanks to a headsup from Maxstar on Twitter, I was able to see how scareware was pushing "PC Speed Maximizer", which can be considered as a PUP, but not as scareware.
PC Speed Maximizer, unlike "real" scareware does not have the following behaviour:
- Annoying pop-ups everywhere, all the time
- Blocking internet access
- Blocking other programs (like Task Manager for example)
- Showing numerous errors & malware infections (where there are none)
- No real uninstall option (because it's malware)
- Autostarts with the PC
- Wants to rip off users
PC Speed Maximizer however does have the following behaviour:
- Annoying pop-ups, but not constantly
- Showing numerous errors (where there are none)
- Autostarts with the PC
- Wants to rip off users
So let's get to the point here. What is the purpose of this post? To show you an apparently new tactic on how PC Speed Maximizer wants to gather money from not technically savvy users.
A new page has been set up at hxxp://pcspeedplus.com
URLVoid Result
PasteBin script
When visiting this page, you are presented with the following message:
 |
| "Critical Security Warning!" Oh really? |
This pop-up or messagebox is typical for scareware, clicking the X or clicking OK has the same result...
A "scan" starts running right away:
 |
| "Virus infections have been detected!" - XP Micro Antivirus |
The following file gets downloaded:
PCSpeedMaximizer.exe
MD5: e557bf40e5b374b2fe65cfb2502f0a99
Result: 3/46
VirusTotal Result
Anubis Result
Malwr Result
ThreatExpert Result
This file is also digitally signed:
 | |||
| File is digitally signed with its own cert... |
Thanks to a great post here, you can find the extracted digital certificate on Pastebin:
http://pastebin.com/50cUYHEc
Surely, this is not an "APT", but it's still interesting such a piece of crap is digitally signed.
PC Speed Maximizer Setup:
 |
| Setup screen |
 |
| Items to clean and optimize on your PC |
When looking around on Google a bit, it seems others are suffering from the same scareware page and the pushing of this... software:
http://answers.microsoft.com/en-us/protect/forum/protect_other-protect_scanning/url-httppcspeedpluscomscan-keeps-bringing-up-fake/30ed02a6-2bb0-4165-84ac-56a188cfb131
This user was apparently getting fake messages when clicking on a Yahoo ad, when I received this headsup, it apparently spreads through Google Images as well.
Prevention
- Be careful when visiting any webpage. A useful trick is to check the real URL behind the image. Most of the times you can verify this by checking in the left corner of your browser:
Clicked on a picture and started loading this website instead of the original one
- Use browser extentions to verify the integrity of an image or URL. Useful add-ons for Google Chrome are for example NotScripts and WOT . For Firefox you have NoScript and WOT as well.
- Keep your Antivirus and browser, as well as your browser add-ons up-to-date.
- If it is too late and a 'scan' is already starting, immediately close your browser by bringing up Task Manager (CTRL+ALT+DEL or CTRL+SHIFT+ESC) and killing your browser's process:
- a) For Google Chrome: chrome.exe or chrome.exe *32
- b) For Mozilla Firefox: firefox.exe or firefox.exe *32
- c) For Microsoft's Internet Explorer: iexplore or iexplore.exe *32
Desinfection
If the harm is already done and you are getting warnings, messages or pop-ups stating there are several errors and you need to take 'immediate action' to clean your computer, go to your
C:\Program Files\PC Speed Maximizer or C:\Program Files (x86)\PC Speed Maximizer folder and double-click on unins000.exe. The program will now uninstall itself. In that perspective, it is way less intrusive than real scareware.
Conclusion
- Don't be fooled by warnings or message trying to scare you, it's all fake.
- Follow the above prevention tips to decrease the chance of your computer becoming infected.
Final word: adware and/or PUP has always been annoying, and in a "grey" area for antivirus & antimalware applications to detect or not, since most of the times the EULA clearly states it's installing this software and you (as "the user") agree(s). However, pushing PUP via scareware is a new concept. I've made an earlier post about PUP and how you can prevent it as well:
http://bartblaze.blogspot.com/2013/01/about-youtube-top-comments.html
Stay safe.
.JPG)
0 comments:
Post a Comment