Some elements of the page are dynamic, in particular the toll free phone number, which allows the crooks to update it whenever they need to. The BSOD itself is created with the following code: This allows the piece of malware to communicate with the command and control server at regular intervals and determines whether it should display the fake BSOD or not. The sample then installs the hook point by adding a task in the TaskScheduler so that it can run in the future even if the computer is rebooted: Then, the harvested data is sent to a remote database – credentials are hardcoded inside the binary (poor opsec) – as well as stored in a local configuration file: We note the detection of Virtual Machines so that if the file is ran in VMware, it will simply exit without doing its true payload. If the right argument is passed, we move to the next phase where the malware checks the system for various pieces of information such as IP address, country, city, etc: This is a rather basic but yet interesting piece of scareware whose purpose is to create a more persistent way of nagging users by using malware-like techniques.įirst, the sample will not do its payload unless a special argument (pictured below) is passed to it, which is most likely a (weak) attempt to appear benign when analyzed in a sandbox. C:\Users\%userprofile%\AppData\Roaming\SenseIUpdater\ It is worth noting that this happens when the PUP is ran, but before clicking on the Next ‘I agree’ button. Which drops a digitally signed executable ( SenseIUpdater.exe) manufactured by Fidelis IT Solutions Private Limited. Not too surprisingly, it started from a PUP (thanks Rich Matteo for identifying it): We dug for the initial installer that lead to this ‘infection’. More annoying is the fact that this ‘hijack’ happens at regular intervals.
Tech support scammers had another trick up their sleeve and in a case first reported in the BleepingComputer forums, essentially built a piece of malware to create an almost genuine BSOD.Īs you can see in below, there is no browser window and the BSOD is displayed in full screen.
Those scare pages are also quite effective and particularly annoying to get rid of thanks to the use of JavaScript code to pop an alert ad infinitum. The template for those pages is quite straightforward with only a few lines of HTML code: It’s all about scare tactics to get people to call in for support. Miscreants even register the websites with very explicit names and launch them via by rogue affiliates or black hat advertisers. We documented the use of scare pages before and the BSOD theme was a natural fit. It is also a rather scary screen (at least up until Windows 8) and that is exactly what tech support scammers are capitalizing on to trick potential victims into calling for immediate assistance. To the end user, it usually means that they have lost all their work and that Windows might not be happy the next time it reboots.
The BSOD can occur for many reasons, for example when there is a memory access violation.
Many Windows users are familiar with the dreaded Blue Screen of Death (AKA BSOD), which usually happens when the system crashes.