It has only been a few days since former Philippine president Corazon Aquino died of cardio-respiratory arrest last Saturday (August 1). Cybercriminals are already well on their way to use this event for their own selfish gains.

Cybercriminals use popular and high interest events to further their cause—in this case, spreading fake antivirus software detected by Trend Micro as TROJ_FAKEALRT.FK.

Trend Micro threat analyst Joseph Pacamarra found that searching for details on the former president’s death with the words “corazon aquino’s death” led users to the following malicious sites:

• http://{BLOCKED}-gonzales.redxhost.com/corazon-aquino-death.html
• http://{BLOCKED}sa.20x.cc/corazon-aquino-death.html
• http://{BLOCKED}rank.0adz/corazon-aquino-death.html
• http://{BLOCKED}-1.0adz.com/corazon-aquino-died.html

The cybercriminals used the same .php page (1.php) to redirect users who click the links above. However, this page was hosted on different domains, possibly to avoid detection. The redirections from the above links eventually led to the download of a fake antivirus from the following sites:

• http://{BLOCKED}-pro-antivirus-scan.com/download.php?id=2022
• http://{BLOCKED}-pro-antivirus-scan.com/download/Install-6a1e7ce_2022.exe
• http://{BLOCKED}-pro-antivirus-scan.com/download/Install-74f10_2022.exe
• http://{BLOCKED}-pro-antivirus-scan.com/download/Install-6a75f_2022.exe

This is not the first time that news was used to launch blackhat SEO attacks:

• Blackhat SEO Quick to Abuse Farrah Fawcett Death
• Scammers Ride on H1N1 Global Pandemic
• “Solar Eclipse 2009 in America Leads to FAKEAV

Users are advised to rely on legitimate and reputable news sites to avoid being infected. Trend Micro product users are advised to update to the latest CPR version 6.338.03 to stay protected.

After further analysis, the file corazon-aquino-died.html1, which may be downloaded from the sites mentioned earlier, is now detected as HTML_REDIR.ECT. This is consequently blocked by Trend Micro’s Smart Protection Network.

After a recent reanalysis of TROJ_FAKEALRT.FK, Trend Micro threat analyst Kathleen Notario discovered that the sample (“Personal Antivirus”) does not exhibit FAKEAV behaviors. It does not, for instance, display a FAKEAV graphical user interface (GUI) nor causes system modifications. It has been found to be missing a main installer component.

However, the Trojan may access the following domains to download possibly malicious files or install other FAKEAVs:

• http://{BLOCKED}ne-sachs.com
• http://{BLOCKED}erbaseupdatesv2.com
• http://{BLOCKED}twareupdatev2.com
• http://{BLOCKED}ben.cn
• http://{BLOCKED}-updatesv5.com