Gootloader is a malware distribution technique that spreads trojans and other malicious programs.
Gootloader shows fake forum pages. These forum posts share links to malicious Zip archives that can download and install dangerous malware. Gootloader’s webpages appear in web search results, mostly on Google, and can appear very believable.
Gootloader Fake Forums quicklinks
- Gootloader – malware through fake forums
- Gootloader sites appear in web search results
- Malware spread on fake message boards
- How to avoid Gootloader infections
- Automatic Malware removal tools
(Win)
Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,
(Mac)
Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,
How Gootloader works:
| Threat type | Trojan,
phishing. |
|---|---|
| How to recognize Gootloader | Fake forum posts reference your search query appear in your search results,
these posts offer a link to a file named after your query. |
| Dangers posed by the trojan | Gootloader downloads spyware trojans and file-encrypting ransomware. |
| How to avoid Gootloader | Be careful when downloading files from the internet,
protect your computer with antivirus programs (Spyhunter, Malwarebytes, others). |
Gootloader – malware through fake forums
Gootloader sites appear in web search results
Gootloader is a method for spreading malware. It involves procedurally-generated forum pages and malicious internet search results.
Here’s roughly how the scheme works:
- You type a query into Google or another search engine.
- The search results return links to forum pages.
- The forum posters reference your query exactly.
- The forum posts include a link to download the thing you were searching for.
- The link downloads a malicious file that can download a trojan.
This is Gootloader. Malicious actors hack legitimate websites and upload on them fake forum pages. These pages then appear visible in search results – and the administrators of the hacked website might not even know what’s going on.
Sophos has recently released an analysis of Gootloader that I recommend you check out if you want to learn more.
According to this analysis, Gootloader targets people in North America, South Korea, Germany, and France. But even if you’re outside these regions, keep your guard up. Similar schemes are already used to spread scams. Besides, Gootloader could expand or other malicious groups could copy its method.
Malware spread on fake message boards
We on 2-viruses occasionally come across various fake forum pages:
- Fake Yahoo answers posts.
- The Download-pdfs.com scam.
- Fake Qanswers.site posts.
I was under the impression that those sites were merely used to trick people into revealing their credit card information and signing up for scammy subscription services. But Gootloader uses similar fake forums to spread far more serious threats – remote access trojans and ransomware.
There’s no single format that these fake forum pages use. But you can still recognize them by a few oddities:
- The message board can’t be interacted with. Clicking links and menus downloads a file to be downloaded or opens an unrelated site.
- Your search query is referenced in the original forum post exactly. It might not make any sense grammatically.
- The file downloaded from the malicious page is also named after your search query.
- The file downloaded is an executable or an archive.
Here’s a screencap of the fake forum posted by Areteir.com in their Gootloader analysis:
If you find yourself on a page that looks like that, run away.
How to avoid Gootloader infections
Gootloader delivers Gootkit, a credential-stealing trojan. It also spreads Sodinokibi ransomware and other trojans, including remote access trojans (malicious programs that enable malicious actors to directly control the infected computer).
Just visiting the fake forum pages doesn’t infect your computer. Downloading the linked file and then open it does.
According to the analysis linked above, the Gootloader sites offer a Zip archive. Inside the archive is a Javascript file – the malicious script. If you were to double-click the Javascript file, Windows would run the script. Once it’s run, the Gootloader file waits until you reboot your computer and then downloads more malware.
Scan the files that you download. If you get an unexpected file type (show file extensions) or a file of unexpected size, don’t open it.
Protect your computer with antivirus tools such as Spyhunter, Malwarebytes, and others. The trojans that Gootloader downloads can be difficult to remove manually, even for a professional.
If Gootloader did compromise your computer, remove all malware on it and quickly change your passwords. If a trojan stole your passwords, resetting them should protect your accounts from being stolen.
Automatic Malware removal tools
(Win)
Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,
(Mac)
Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,