Fake anti-virus malware blocks access to the web's most popular sites

 

Gallery

Posted on 26 Jan 2010 at 11:18

Malware that deliberately disrupts your ability to use your PC is an old standard. According to Webroot, the latest trick up malware developers' sleeves is to edit Windows' networking settings to prevent users from visiting some of the web's most popular sites. One version of a fake anti-virus program called Internet Security 2010 blocks sites including Facebook, YouTube, Twitter, Wikipedia and Microsoft's Bing search engine.

Webroot's Andrew Brandt writes: "The payload modifies the Layered Service Provider (LSP) so that calls to those Web sites pass through the malicious file, which displays a warning message in the browser instead of the blocked Web site. The message says:

This web site is restricted based on your security preferences

and

Your system is infected. Please activate your antivirus software."

Fake anti-virus software is a common and particularly irritating form of malware which usually attempts to get you to part with your cash by rendering your PC unusable and claiming it to be the fault of viruses.

Often transmitted by a drive-by download, these programs are designed to look like a legitimate anti-malware suite. When such a program gets on to your PC, it'll claim that your system is infected with scores of viruses and that you'll need to buy a full version of their software to get rid of them. In fact, the only real malware threat comes from the "anti-virus" program itself.

Recent variants have added even more irritating and computer-crippling features to hold your PC to ransom, such making it impossible to start applications or boot into safe mode. This makes it hard, but not necessarily impossible to get rid of the malware.

If some or all programs refuse to start once the malware has become active, you can open the Windows Task Manager or use a program like Process Explorer to watch the malicious software as it loads and, once you've worked out which processes it's responsible for, terminate them before they finish loading.

This won't get rid of the malware, but should at least allow you to run anti-virus software. Most variants of Internet Security 2010 can be removed using free anti-malware tools, such as PC Tools Spyware Doctor, Malware Bytes Anti-Malware, and Microsoft Security Essentials.

If you've suffered from the website-blocking variant of Internet Scurity 2010, you'll still need to repair the damage it has done to your ability to browse the web once you've got rid of the malware.

Webroot has included a helpful guide to fixing your LSP chain under Windows XP in a recent blog post about this malware.

Author: Kat Orphanides