Threat Research & Response Blog
In addition to Win32/FakeXPA we added another rogue-related malware family to MSRT this month - Win32/Yektel. Win32/Yektel is a different kind of rogue. Like other rogues, it displays fake warnings about possibly malware or spyware, but rather than pretending to be a security product itself, it tries to blend in with its surroundings. There is a very good reason to target Win32/Yektel and Win32/FakeXPA together: most of the current incarnations of FakeXPA download Yektel. Nevertheless, Yektel works independently of FakeXPA and can be installed by other means as well. However it ends up on a machine, Yektel installs a BHO (Browser Helper Object) which can display messages in Internet Explorer. This enables Yektel to mimic IE’s own messages, such as drop down warnings: or error pages:
Yektel displays these messages at random times while the user is browsing. Recent variants go further, however, injecting messages into Google search results. In fact, Yektel's BHO inserts this into any page that IE retrieves from a URL with the string "google" in it:
So where do all of these bogus warnings and recommendations take you? Not to somewhere to download more malware, but directly to a page where you can give them your money to "register" FakeXPA:
Installing Win32/Yektel is another way that FakeXPA goes beyond pretending to be a useful security product by trying to take advantage of people's trust in web browsers and search engines.
Acknowledgements: Chris Jones for discovering the fake Google messages.
-- Hamish O'Dea