Gootloader is a malware distribution technique that spreads trojans and other malicious programs.
Gootloader shows fake forum pages. These forum posts share links to malicious Zip archives that can download and install dangerous malware. Gootloader’s webpages appear in web search results, mostly on Google, and can appear very believable.
Gootloader Fake Forums quicklinks
- Gootloader – malware through fake forums
- Gootloader sites appear in web search results
- Malware spread on fake message boards
- How to avoid Gootloader infections
- Automatic Malware removal tools
How Gootloader works:
|How to recognize Gootloader||Fake forum posts reference your search query appear in your search results,
these posts offer a link to a file named after your query.
|Dangers posed by the trojan||Gootloader downloads spyware trojans and file-encrypting ransomware.|
|How to avoid Gootloader||Be careful when downloading files from the internet,|
Gootloader – malware through fake forums
Gootloader sites appear in web search results
Gootloader is a method for spreading malware. It involves procedurally-generated forum pages and malicious internet search results.
Here’s roughly how the scheme works:
- You type a query into Google or another search engine.
- The search results return links to forum pages.
- The forum posters reference your query exactly.
- The forum posts include a link to download the thing you were searching for.
- The link downloads a malicious file that can download a trojan.
This is Gootloader. Malicious actors hack legitimate websites and upload on them fake forum pages. These pages then appear visible in search results – and the administrators of the hacked website might not even know what’s going on.
Sophos has recently released an analysis of Gootloader that I recommend you check out if you want to learn more.
According to this analysis, Gootloader targets people in North America, South Korea, Germany, and France. But even if you’re outside these regions, keep your guard up. Similar schemes are already used to spread scams. Besides, Gootloader could expand or other malicious groups could copy its method.
Malware spread on fake message boards
We on 2-viruses occasionally come across various fake forum pages:
I was under the impression that those sites were merely used to trick people into revealing their credit card information and signing up for scammy subscription services. But Gootloader uses similar fake forums to spread far more serious threats – remote access trojans and ransomware.
There’s no single format that these fake forum pages use. But you can still recognize them by a few oddities:
- The message board can’t be interacted with. Clicking links and menus downloads a file to be downloaded or opens an unrelated site.
- Your search query is referenced in the original forum post exactly. It might not make any sense grammatically.
- The file downloaded from the malicious page is also named after your search query.
- The file downloaded is an executable or an archive.
Here’s a screencap of the fake forum posted by Areteir.com in their Gootloader analysis:
If you find yourself on a page that looks like that, run away.
How to avoid Gootloader infections
Gootloader delivers Gootkit, a credential-stealing trojan. It also spreads Sodinokibi ransomware and other trojans, including remote access trojans (malicious programs that enable malicious actors to directly control the infected computer).
Just visiting the fake forum pages doesn’t infect your computer. Downloading the linked file and then open it does.
Scan the files that you download. If you get an unexpected file type (show file extensions) or a file of unexpected size, don’t open it.
If Gootloader did compromise your computer, remove all malware on it and quickly change your passwords. If a trojan stole your passwords, resetting them should protect your accounts from being stolen.
Automatic Malware removal tools