Looks can be deceiving, and malware authors are relying on that old adage to lure potential victims into their most recent scheme. The plan? Dress up as a spyware removal tool, use a great-looking site, complete with blogs, news and product lineup, dazzle the user with plausible reviews, and encourage them to click through.

The site hxxp://removal-tool.com manages to do all that:

Anyway, who’d suspect that a professional-looking anti-spyware site will give them just the opposite of what they’re looking for — and even more? With most of the pages hosting malicious iFrames, here’s a list of what could be lurking in your system after a visit to their site:

• HTML_IFRAME.IY
• VBS_PSYME.BCC
• EXPL_EXECOD.A
• HTML_SHELLCOD.AE
• JS_AGENT.AXX
• HTML_DLOADER.XCZ
• WORM_DISKGEN.AF
• HTML_SHELLCOD.AZ
• HTML_SHELLCOD.AW
• JS_REALPLAY.AA
• PE_PAGIPEF.AP-O
• TROJ_AGENT.DDG
• TROJ_PAGIPEF.AP

The use of legitimate-looking Web sites is a regular (yet undoubtedly still very effective) tactic in disseminating Web threats, mainly used to fool users into downloading fake codecs (see here and here), though security applications have also been reported in the past. Any Web-savvy developer knows that professional design and robust content attract customers, and is most likely to earn their trust to initiate one more click.

Sadly, even those with malicious intent abide by this rule, and most users can hardly tell a good site from a bad one. Luckily, Trend Micro has the ability to block these possibly malicious URLs, just in case a site’s “beauty” turns out to be only skin deep.

Technical information and screenshot provided by Research Project Manager Ivan Macalintal