Media reports have revealed the existence of fake blogs that were used to spread FAKEAV malware. The blogs do not actually contain any useful content. Instead, they have posts that contain nothing but images with post titles that use a wide variety of topics. The images used appear to have simply been taken from a Google Images search with the post title in question as the search term.

If a user visits the blogs in question by merely entering their URLs, they will see the harmless images. If they came from search engines such as Google, however, they will instead download a new FAKEAV variant, which is detected as TROJ_FAKEAV.FFGZ.

The JavaScript file that is used by the fake blogs is detected as JS_FRAUDLOAD.AP.  The domains or actual FAKEAV drop sites involved in this attack are already blocked by Trend Micro Smart Protection Network.