October 14, 2010
First samples of Trojan.HttpBlock were discovered on September 22 2010. Once in the system, the malware modifies the hosts files to block access to popular web-resources.
Trojan.HttpBlock is the new milestone in evolution of ransomware in Russia. It is designed to address difficulties that hampered smooth operation of the criminal business.
Unlike Trojan.Hosts programs that also block access to web-sites by redirecting a browser to malicious sites, Trojan.HttpBlock redirects users to a web-server installed in the compromised system.
This new approach makes the task for cyber-criminals easier. Indeed, with Trojan.HttpBlock they no longer need to seek hosters for their web-sites or mimic design of a popular site to deceive a potential victim. Trojan.HttpBlock displays a text message in a browser window informing the user that he is no longer allowed to access the Internet because he frequented adult content web-sites.
The malicious programs also disrupt operation of certain utilities used for analysis of an infected system. The Trojan terminates certain dangerous processes found in the list drawn by its developers. Trojan.HttpBlock can terminate 32-bit as well as 64-bit processes under 64-bit versions of Windows.
Latest modifications of Trojan.HttpBlock have some strings encrypted to complicate analysis of respective malicious files.
Trojan.HttpBlock spreads a as a distribution of Fusion Media Player available for downloading from sites providing free content (typically pirated software). Loading such sites often brings up pop-up windows supposedly displaying video clips from adult content sites. As a user attempts to play such a vide clip, he is prompted to download and install the media player.
If the user agrees, an msi file is downloaded. It does contain a distribution of Fusion Media Player along with the Trojan. Many people decide on installing the player because they believe that malicious programs spread only as exe files. The fact that the player is installed lowers the risk that the user connects the installation with infection.
In most cases scanning the system with Dr.Web CureIt! available free of charge for home use neutralizes the infection.
More than thirty modifications of Trojan.HttpBlock have been added into the Dr.Web virus databases after it was discovered. The Trojan.HttpBlock.origin entry was also created for the Origins Tracing routine to detect unknown modifications of the malware.
Besides, Doctor Web has been providing prompt free support to users who fell victims of cyber-fraud. In the last month the number of requests for free support has increased threefold compared with the 24 hours average registered in recent months and now amounts to 80% of the total — 250-300 and more per 24 hours.
