14 DAY TRIAL // A trojan distributed via fake DHL emails installs a new piece of scareware which mimics the Windows Automatic Updates screen in order to make the rogue program look legitimate.
The attack starts with a spam email, that claims to originate from DHL International. The message informs the recipient that their package could not be delivered at the listed address.
Furthermore the user is instructed to print the post label allegedly found inside the attached archive and use it to pick up the undelivered parcel.
According to Sven Carlsen, a virus researcher at Avira who analyzed the attack, the attachment contains an installer for a computer trojan from the Oficla family of malware.
This trojan is used as a distribution platform for scareware applications, in this case one called “Antimalware Doctor".
Scareware is a collective term referring to programs that pose as antivirus or security products and attempt to scare them into paying for a license by bombarding them with bogus alerts.
An interesting aspect of this attack is that before the actual interface of the rogue application pops up to display a fake scan, the user is presented with what appears to be a Windows Automatic Updates dialog.
The screen shows only one item in the list of updates, called "System Security Pack 2010.56.111 (Antimalware Doctor Upgrade; KB949779)".
This is a clear attempt from the scareware's authors to legitimize it by displaying it inside a window that is familiar and generally trusted by users.
The cybercriminals behind these threats are also hurting companies, which operate software review websites by abusing and therefore damaging the trust associated with their trademarks.
"In order to create more trust in the product on the user side, the malware writers put up plenty of renowned awards like 'Laptop editors choice' or 'Softpedia'," Mr. Carlsen, notes.
