Seems like fake AV programs are still everywhere! Just a couple of weeks ago, Halloween costume searchers were targeted by these nasty programs through SEO poisoning. Now I’ve just encountered 2 scenarios resulting to rogue AV downloads, also done through hijacking Google search results:

In the first scenario, queries for the string refa+zeitaufnahmebogen on the German Google website (www.google.de) yield suspicious results:

Figure 1. Search results for refa+zeitaufnahmebogen

The first result on the query is the URL with the page title “Folie 0.” However, clicking the associated link connects the user to the following rogue AV website that we have all grown so familiar of:

Figure 2. Rogue AV website displaying fake infection results

The string refa+zeitaufnahmebogen is related to a German association for work design.

Using Wireshark, I’ve found that this was achieved through a redirection to yet another URL entirely.

The rogue AV file is already detected through the Trend Micro Smart Protection Network as TROJ_FAKEAV.WP.

While the first scenario is more of a targeted attack, this next one proves to aim at a wider range of victims, and timely as well considering the US elections.

Malicious results were also found generated from queries for the string absentee voting:

Figure 3. Queries for “absentee voting” show malicious results

And of course, this is another work of the FakeAV gang. Clicking the result triggers a series of redirections; however the payload, or the fake AV itself, is not there anymore. The downloaded file has the same name, and is also already detected as TROJ_FAKEAV.WP.

Apparently malicious Rogue AV is not dying out just yet.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!