Cybercriminals have been found riding on Brittany Murphy’s sudden death to scare people into buying FAKEAV. Searching for keywords like “brittany murphy’s death” on Google resulted in at least two suspicious URLs:

• http://{BLOCKED}erracing.net/vwb.php?sell=brittany%20murphy%20death
• http://{BLOCKED}x.net/icd.php?go=brittany%20murphy%20death

The spike in searches on Murphy’s death has become the theme for the latest blackhat search engine optimization (SEO) attack, which pushed malicious sites to redirect users to scareware portals. These portals have been injected with a malicious script detected by Trend Micro as HTML_FAKEAV.WAF.

Users who click poisoned search results will be alerted to supposed malware infections via a fake message prompt, followed by bogus scanning results and another message prompting them to download a FAKEAV to rid their system of the infection.

HTML_FAKEAV.WAF also accesses URLs (detected by Trend Micro as JS_RENOS.WCF) to download more malware and TROJ_KRAP.DAM (a damaged FAKEAV installer).

Users are thus advised to rely only on trusted news sites for reports on Murphy’s death to prevent system infection. By now, they should have learned that cybercriminals often use celebrity deaths to further their malicious causes as shown in earlier blog posts:

• Michael Jackson Video Leads to Malware Download
• Compromised Sites “Heath” It Up
• Blackhat SEO Quick to Abuse Farrah Fawcett Death

Trend Micro product users are protected from this threat by the Smart Protection Network, which blocks user access to related malicious sites and prevents the download of the malicious scripts.

We have recently received queries from customers about the official exclusion list recommendations from Microsoft. It seems that they have published a Knowledge Base entry that lists down recommendations to improve performance in Windows when running antivirus scanners.

This list recommends customers to exclude certain extensions and folders from antivirus scanning. Now, although it actually makes sense to stop checking Windows Update and some Group Policy-related files if you really want to speed up the system, we are concerned by the fact that this was released publicly.

This is an overview of these recommendations from Microsoft:

• Certain files in the SoftwareDistribution folder
• Certain specific file name (e.g., edb.chk)
• A small extension list in certain specific folder (*.log)

Plus, some other similar lists for the Group Policy.

Following the recommendations does not pose a significant threat as of now but it has a very big potential of being one. Cybercriminals may strategically drop or download a malicious file into one of the folders that are recommended to be excluded from scanning or use a file name extension that is also in the excluded list.

We find it sensible for users to aim for better system performance. However, we also think that excluding certain file types or folders from antivirus scanning is not something novice users should tinker with. Doing so may expose the system to risks that can lead to an inconvenience far more severe than a slightly slower system.

In line with this, we advise users to educate themselves fully about these recommendations before taking any action. We recommend users not to exclude any file unless there is a critical reason to do so and be aware of the risks entailed by such an action.

Tricking users into downloading rogue AV is an age-old cybercriminal tactic that still works. Hence the continuous rise in the number of rogue AV pushed to unwitting scam victims up to this day. In fact, the FBI just recently warned the public about the threat that rogue AV software poses, saying this has resulted in more than US$150 million in losses to victims.

The earliest rogue AV ploys relied on scareware tactics that resorted to warning users of supposed infections. The shift toward a more profit-driven threat landscape, however, also prompted cybercriminals to employ more devious and cunning techniques. Today, they often use search engine optimization (SEO) techniques that infected users just by visiting certain sites, seemingly mimicking the manner by which real-time antivirus products protect systems.

Some rogue AV employ “ransomware” tactics. They encrypt files, taking them hostage so users cannot use them. To recover the files, a user has to download a paid version of the program but just like its predecessors, this is all just a scam. In reality, however, the paid version of the program fixes the problem that it created in the first place but only after the user has been forced to pay up.

Cybercriminals use several social engineering techniques to spread rogue AV among computer users. Spammed messages containing URLs that lead to sites where rogue AV can be downloaded are very common. Some, however, are more imaginative, rigging search engine results with links to downloadable, seemingly legitimate antivirus applications.

Another ingenious social engineering ploy to spread rogue AV involves the use of codecs. As several media files require codecs for playback, users who want to stream videos are often victimized by downloading rogue AV posing as video codecs. Celebrity deaths (e.g., Corazon Aquino) and tragic events (e.g., tropical storms) have also become unwitting participants in rogue AV scams.

Social networking sites such as Twitter and Facebook have also become unwilling sources of rogue AV, thanks to the KOOBFACE botnet’s dedicated FAKEAV installer component.

TrendLabs has observed that rogue AV authors, sellers, and resellers now employ enhanced social engineering tactics, taking advantage of trendy topics in popular search engines. They have also been found to use GeoIP tracking. These attacks employ similar techniques as blackhat SEO campaigns albeit in a more targeted sense.

Cybercriminals will really stop at nothing just to further their profiteering schemes. And though users have been warned time and again of staying away from links that come from unknown users—whether in emails or tweets—it seems curiosity will still get the better of them, allowing cybercriminals to continue infecting them with the great mass of available rogue AV on the Web.

Fortunately, Trend Micro Smart Protection Network protects users against all these kinds of rogue AV and other similar malware threats.

In an article by Dancho Danchev, he illustrated Trend Micro’s prediction that cloud hosting services such as Amazon EC2M can be easily used for fail-over command and control (C&C) botnet services.

Just recently, Trend Micro had an issue with some IP ranges from the Amazon EC2 data centers. Based on the procedures of our email reputation database, active spamming IP addresses are automatically blocked.

Hosting, as always, can be used as a platform for malware distribution. It does not really matter if it is a really small hosting provider with a few racks of hardware boxes or huge infrastructure with tons of hardware offering services in the cloud.

The legitimate IP addresses of the cloud pool enables cybercriminals to use the malware services as abuse free hosting. If we take EC2 as an example, a client can reserve the pool of IP addresses and can easily manipulate this list by assigning the virtual instance of the existing IPs from the pool or by adding new ones.

Fraudulent activities in the hosting cloud are difficult to trace. This makes perfect sense for cybercriminals who are trying to take advantage of a reputable organization by using it to hide their malicious business model. With that in mind, it is likely that in 2010, we will see a significant growth in the misuse of cloud hosting services.