14 DAY TRIAL // A recently detected scareware runs browser-based security scanning that shows bogus malware activity on the system, in an effort to deceive users into purchasing fake security products.
Dubbed Defru by Microsoft (detected as Win32/Defru), notable about it is the fact that it has the ability to modify the hosts file on the affected computer in order to manipulate web navigation. The result is blocking access to more than 300 legitimate websites, according to Daniel Chipiristeanu from Microsoft.
Basically, trying to reach any of the websites on the list leads to loading a page designed by the cyber crooks for promoting the fake products they want to sell.
The page, pcdefender[.]co[.]vu, offers a bogus security solutions named Windows Security and Windows Defender.
A scan that appears to be in progress, shows that malicious files are present on the computer; this is intended to make the potential victim believe that the computer is infected and download the false malware removal solution, for a fee.
"Win32/Defru is targeting Russian speaking users, mostly from Russia, Ukraine, and Kazakhstan," Chipiristeanu said.
According to telemetry information from Microsoft, most of the users falling victim to Defru are from Russia, but the United States comes second and Kazakhstan takes the third place.
The payment for the product can be done by credit card, at Payeer.com, a Russian payment service that also facilitates currency exchange operations.
Cleaning the system of this threat can be easily done by deleting the entry value from the “Run” registry key, the item it points to on the disk and the entries added to the hosts file.
