A URL link to a Trojan posing as a copy of the Trend Micro RootkitBuster is currently being spammed in the wild.
It was found that the email containing the said malicious URL is being spammed to members registered to certain freeware download domains, such as www.bestfreewaredownload.com and betterwindowssoftware.com. This hacked version of RootkitBuster is apparently used to gather email addresses from its users.
It is now detected as TROJ_FAKEBUSTR.A. It displays a fake GUI (Graphical User Interface) of the Trend Micro RootkitBuster as shown below:
This Trojan then displays the following window to prompt target users to activate the “product” and its updates through registration of their names and email addresses:
The data entered by unknowing users is then sent to a remote malicious user, possibly using the gathered addresses to spam the same Trojan to more users or for other more malicious activities.
The real RootkitBuster can be downloaded for free directly from the Trend Micro Web site. It is not spammed and it does not ask for any information from the user when it is downloaded.
Security vendor Prevx has also found their product used in a similar scheme when a hacked copy of their ComputerSecurityInvestigator was discovered to be available for download at CNET’s Download.com.
Downloading anything (yes, even security applications) should always be done with caution, lest your computer goes bust courtesy of these fakes.
Thank you to Prevx for all their help in this case.
Additional information provided by Senior Threat Engineer Millette Regulacio
