Trend Micro researchers were alerted of blackhat SEO campaigns that led to FAKEAV or rogue antivirus. The cybercriminals behind these attacks hitchhiked on high profile news like the recent death of Patrick Swayze, Kanye West’s infamous interruption on MTV VMA awards, and the death of Yale student Anne Le.

Upon further analysis, our researchers discovered that the poisoned keywords are not only limited to recent events. According to Advanced Threats Researcher Joey Costoya, there are many hijacked search items that point to FAKEAV.

Here are some of the search terms:

• Act Registration
• Alan Thicke
• Archer FX
• Archer Fx
• Beaches Movie
• Cbs Survivor
• Community Imdb
• Community Nbc
• Community Show
• Community Tv
• Delta Smelt
• Dina Meyer
• Divas Live 2009
• Ernie Anastos
• Fx Network
• Gillian Jacobs
• Grandma S Boy
• Huron Ca
• Huron California
• Janet Napolitano
• Joel Mchale
• Kanye West Interruption Video
• Katherine Heigl Baby
• Melinda Loveless
• My Date With The President S Daughter
• Polwizjer
• Ralphie May
• Russell Hantz Oil Company
• San Joaquin Valley
• Sniffish
• Starship Troopers
• The Gang Exploits The Mortgage Crisis
• The Office Gossip
• The Valley Hope Forgot
• Volkswagen L1 Concept

These search strings might be based on Google Trends as it shows the top searches people made in Google. These hijacked search strings are then linked to sites that served FAKEAV.

In addition, the cybercriminals behind such attacks are doing GeoIP checks. If the user sports a US IP address, the FAKEAV sites emerge. Otherwise, accessing the URL will produce an HTTP 404 page. Thus our advice for users from the US which are obviously singled out as the target of these attacks: Be extra careful!!

SEO poisoning is becoming the main contraption of rogue antivirus applications. It often rides on current events as we had blogged before in the following posts:

• FakeAV for 9/11
• California Bush Fires Spark Blackhat SEO Campaigns
• Cory Aquino’s Death Used to Spread Another FAKEAV
• “Solar Eclipse 2009 in America” Leads to FAKEAV
• Blackhat SEO Quick to Abuse Farrah Fawcett Death

Users are advised to be cautious in their Web searches and to visit credible websites only. Trend Micro already blocks and detects all malicious URLs through its Trend Micro Smart Protection Network.

The Koobface botnet is widely known to install FAKEAV or rogue antivirus malware onto a victim’s PC. It has a dedicated component which actually installs the FAKEAV onto the user’s system. However, the Koobface gang has added a new twist to its fake Facebook page.

When the user closes the window/tab with the fake Facebook page, a popup window appears. Whatever button the user clicks, this new Koobface variant is downloaded onto the affected system. Here’s a video that illustrates this behavior:

This is the script used by cybercriminals to perform this new routine; it only works for users who used Internet Explorer to visit the fake page:

Figure 1. Koobface Script

The scripts above leaves the user with very little choice – closing the browser window downloads a FakeAV variant (detected as TROJ_FAKEAV.FGR), while clicking anywhere on the web page will download a Koobface loader (detected as WORM_KOOBFACE.AZ).

Trend Micro warns users of the latest spam campaign that targets US taxpayers with Foreign Bank and Financial accounts. The said spam rides on the September 23 extended deadline set by the Internal Revenue Service (IRS) for filing ‘FBAR’ or the Report of Foreign Bank and Financial Accounts.

The spammed message bears the subject “Notice of Underreported Income” and lures users to click the link that supposedly contains the tax statement. Users who click the URL are led to a site where they get infected by various ZBOT variants. ZBOT variants are notorious for their information theft routines.Trend Micro detected these ZBOT variants as TSPY_ZBOT.BZJ, TSPY_ZBOT.BZT, TSPY_ZBOT.BZS, and TSPY_ZBOT.COB.

Ever since this spam run began, ZBOT creators have been generating new binaries, probably to avoid detection and removal.

Spammers often ride on the tax season to trick users into giving their credentials and even infecting their PCs with malware. We blogged about it in the following posts:

• Fake Form W-8BEN Used in IRS Tax Scams
• Tax Season is Phishing Season
• Phishers Hit Multiple Banks with One Stone
• IRS Used by Spammers Again

Trend Micro already detects and blocks this spam attack with its Trend Micro Smart Protection Network. Users are advised to get only their tax statement straight from IRS.

We have encountered a new phishing scam that targets ClickandBuy. The London-based competitor to eBay offers both billing ang payment solutions, so it’s no surprise cybercriminals would be interested in stealing the login information of ClickandBuy users.

Phishers have created a duplicate of a legitimate German-language ClickandBuy login page on at least one malicious website. The fake site can be seen below:

Figure 1. Phishing website

After entering their credentials, users would be redirected to the legitimate ClickandBuy site. Users would then think everything was normal, when nothing could be further from the truth. The phishing website is a very close match to the legitimate site, which is shown below for comparison:

Figure 2. Legitimate website

Users are advised to be very careful about where they enter their login credentials to guard against attacks like this. For example, the user’s connection to the phishing site was not encrypted, whereas the connection to the legitimate website was encrypted. (All browsers show this in their user interface, usually using a padlock.)

The phishing URL in this attack is already blocked by the Trend Micro Smart Protection Network.

Industry experts have previously estimated that, on average, a compromised machine remains infected for 6 weeks. However, our latest research indicates that this estimate is far from accurate. During the analysis of approximately 100 million compromised IP addresses, we identified that half of all IP addresses were infected for at least 300 days. That percentage rises to eighty percent if the minimum time is reduced to a month. This data can be seen graphically below:

Figure 1. Infection data by country

The news only gets worse from that point. While three-fourths of the IP addresses in our study were identified with consumer users, the remaining quarter belongs to enterprise users. Because a single IP address for these users is typically identified with a single gateway which may, in turn, be connected to multiple machines in an internal network, the actual percentage of enterprise machines affected by malware may be higher than the IP address data suggests.

Once a machine becomes compromised, it is not unusual to find it has become part of a wider botnet. Botnets frequently cause damage in the form of malware attacks, fraud, information theft and other crimes. In 2009, virtually all malware tracked by Trend Micro experts are used by cybercriminals to steal information.

Currently, the three most dangerous botnets in relation to information, financial and identity theft are:

• Koobface
• ZeuS/Zbot
• Ilomo/Clampi

Overall, botnets control more compromised machines than had been previously believed. Only a handful of criminals (likely a few hundred) have more than 100 million computers under their control. This means that cybercriminals have more computing power at their disposal than the entire world’s supercomputers combined. It’s no wonder then that more than 90 percent of all e-mail worldwide is now spam.

While there isn’t exactly a 1:1 correlation between the top ten countries with compromised machines and the top spamming countries, some correlation does exist:

Figure 2. Compromised systems by country

Using Koobface as an example of a typical botnet, Trend Micro threat experts have established that about 51,000 compromised machines are currently part of this particular botnet. At any time, Koobface uses 5 or 6 command and control centers (C&C) to control these compromised machines. If one C&C domain is taken down by a particular provider, the Koobface gang simply re-registers the same C&C domains with other providers. Between mid-March 2009 and mid-August Trend Micro researchers recorded around 46 Koobface C&C domains.

In comparison, while studying the Ilomo botnet, 69 C&C domains were identified. However this number is difficult to confirm as new domains are added while others removed daily. In addition, the number of infected machines within the Ilomo botnet cannot be ascertained owing to the structure of the botnet itself.

Trend Micro threat experts are committed to ongoing technical research and analysis. Technical reports of the Koobface and Ilomo botnets have been published and can be found in the research and analysis section of TrendWatch.

Fortunately, new technologies are becoming available to counter these ever growing threats. The Trend Micro Smart Protection Network prevents over 1 billion threats from infecting its customers daily.

Trend Micro uses the power of Smart Protection Network to detect and protect against infections. The Smart Protection Network is made up of 3 core areas: Email Reputation, Web Reputation and File Reputation combined with more traditional endpoint anti-spam and anti-malware protection techniques.

Processing over 5 billion customer queries per day, the Trend Micro Smart Protection Network is a next generation cloud-client content security infrastructure designed to block threats before they reach a network. By combining in-the-cloud technologies with smaller, lighter-weight clients, users have immediate access to the latest protection.