Pro Evolution Soccer 2012 Videos Hide ZeroAccess Rootkit

Pro Evolution Soccer 2012, the eleventh edition of the series published by Konami, attracted not only the attention of gamers, but also the one of cybercriminals who began relying on its popularity to spread their malicious operations.

GFI researchers came across a YouTube video which advertises a link that offers the full game, along with key generators, cracks and serial numbers for the game.

“PES group released the PES 2012 Keygen working license serial for Pro Evolution Soccer 2012 in Multi Language. Read the NFO for the info, Crack is included. Language file is also with instructions included,” reads the ill-purposed video description.

A link from the description points to a Mediafire download page where the game’s key generator should be. The compressed file hosted on Mediafire contains an HTML file, a text file and another archive that contains the keygen.

The text file contains a URL, which must be visited to obtain a password that allows extraction of the key generator app contained in the archive. The URL points to a survey page that must be completed to obtain the password.

Once obtained, the password can be utilized to extract the so-called keygen which in reality turns out to be a sophisticated rootkit, called ZeroAccess, that causes serious damage to an infected computer’s operating system.

This scheme is very clever because the crooks that run it not only make tons of affiliate money from the survey site, but they also gain access to the victim’s system allowing them to steal sensitive data.

Fortunately, most antivirus vendors detect this variant of the rootkit as being malicious which means that an up-to-date security solution can keep you safe, but users are advised to purchase the game only from trusted retailers to avoid any unfortunate situations.

I’ve come across a large number of similar YouTube video scams that advertise Pro Evolution Soccer 2012 and they all lead to different internet domains which serve various pieces of malware.