Be careful if you're trying to install a Windows ad blocker, because it could turn out to be malware.
A very nasty Trojan that combines ransomware and a cryptocurrency miner is posing as an ad blocker called AdShield Pro, says Kaspersky in a new report (opens in new tab). The malware has tried to infect more than 7,000 machines since Feb. 1.
- What to do if you're infected by ransomware
- The best ad blockers to speed up your page loads
- Plus: How to change the password on Windows 10
The malware also poses as OpenDNS networking software, the NetShield ad blocker and the Malwarebytes anti-malware software, Kaspersky said. The bogus software is often found through malicious websites that turn up in search results. The fake Malwarebytes version targeted more than 100,000 PCs back in August 2020, according to an Avast report (opens in new tab).
No matter what kind of software this Trojan pretends to be, the end result is that the XMRig combination ransomware/coin miner is installed on your machine. In fact, the malware locks up your files before it starts harnessing your CPU to mine the Monero cryptocurrency.
"The computer would already start earning money for the cybercriminals just as the user saw the ransom note," said an earlier Kaspersky writeup on XMRig (opens in new tab) from this past October.
But wait, it gets worse
The malware also downloads and installs a legitimate version of the Transmission Bittorrent client and creates a backdoor so that criminals can remotely access and control the machine. It reroutes the PC's DNS settings so that website-address lookups are resolved by the attackers' own servers and connections to antivirus websites are blocked.
It even tries to evade detection by comparing the actual system profile to what's in the Windows license file. If the two system profiles don't match, then the malware assumes it's running on a virtual machine — often used by information-security researchers — and the installation process stops.
Between the ransomware locking up your files, the coin miner ramping up your CPU, the hijacked DNS sending your web queries God knows where and the human attackers behind the malware gaining control of your machine, you'd be pretty hosed if this managed to get on your PC.
We would love to say the same about AdShield and NetShield, but it turns out there are several different programs available online using each of those names, so it might be best to avoid them all. (If you want ad blocking with no fuss, try the Brave browser (opens in new tab).)
And, of course, you should be running one of the best antivirus programs, which will detect and neutralize this threat before it can be installed.