Spyware Lures to Install Potentially Unwanted Software

Date:12.19.2005

Threat Type: Informational Alert

Websense Security Labs (TM) is seeing a large increase in the number of websites and emails that use deception and/or browser vulnerabilities to install potentially unwanted software. The common theme among these threats is the use lures of possible spyware infections on your machine. In some cases, the scam actually reports fraudulent information regarding the security of your PC.

In many cases they also request money in return for cleaning the outlined security problems (we have seen as much as $500 per year).

Over the last 2 weeks, we have identified more than 1500 sites that have some (or all) of the following criteria:

• They are hosted in Ukraine and Russia
• The website domain names are registered in countries like Vanuatu and Mexico
• IP netblocks hosting sites are often hosting other questionable sites such as fraudulent search engines
• IP netblocks have been hosting malicious code such as Trojan horse downloaders, droppers, and hosts-file redirection software
• Malicious code that modifies DNS settings has used these netblocks for DNS resolving
• Downloaded code often includes several pieces of spyware, adware, and other potentially unwanted software
• Removing the software often requires that you to fill out a survey
• Several of the sites contain links to other sites that are hosting IE exploit code

Various Example Screenshots: