Watch Harry Potter and the Half-Blood Prince On-line Free?

You should probably buy a ticket and see the latest adventures of the Hogwarts’ students in a movie theater instead of becoming the victim of the most recent malware distribution campaign, which brings Rogue Trojan, empties credit cards and wastes victims a lot of time. At least this is what Harry Potter (unprotected or gullible) aficionados get from clicking Web links allegedly offering a free broadcast of the latest sequel in the J. K. Rowling’s screen adaptation.

The malware dissemination scheme comprises five simple steps and involves at least two breeds of malicious payloads:

1. The phony link does not lead to a Web page holding the motion picture, but automatically redirects the browser towards a Web site that holds malware. The browser window is minimized instead and simultaneously a warning message displays, notifying the user about several computer infections and the availability of Personal Antivirus for e-threat removal purposes.

2. By clicking either OK or Cancel buttons, the user triggers a fake movie that plays in the restored browser window. The movie mimics an on-going scanning process that supposedly detects malware within the system. For more credibility, the e-criminals added a “Your Info” panel in the left side of the phony My Computer Online Scan window, which displays details about IP, Country and City of the user’s machine.

3. Again, by clicking either OK or Cancel the user activates a fake Windows® Security Alert (notice the golden shield in the upper left corner), which is, in effect, a simple screenshot that acts like a trigger for the rogue download (see the hand cursor shape in the image below).

4. By clicking anywhere within the borders of the bogus window, the user initiates the malware download.

5. When the download completes, if there is no reliable security suite installed and the binary gets executed, the user infects his or her system with Trojan.Downloader.PersonalAntivirus.A.
Upon installation, this malware that carries an encrypted EULA attempts to download one of the newest members of the fake antivirus family – the previously mentioned Personal Antivirus, by connecting to several servers registered on .com and .cn domains. To remain undetected, it simultaneously terminates Windows Defender process.

Probably for future attack purposes, it also harvests data about the machine to be compromised, namely the date of Microsoft® Windows® installation and its version number, default browser type, number of running processes, available size of disk space and RAM size, as well as the number of installed programs.

After this installer component completes the download of Personal Antivirus, it also connects to Microsoft® Windows® Update Thank You page, to simulate that the software becomes from a trusted source and it is legit.

Personal Antivirus rogue modifies the registry settings, requests the user to buy/renew a license and downloads additional malware responsible for the fake alerts it displays. These alerts are no longer visible when the user visits the Web pages that host the rogue software, which the Trojan includes on an encrypted list.

P.S.: Allow me to express my gratitude towards my BitDefender colleague, researcher Razvan Benchea, for his help and support in investigating the e-threats described in this article.