As Filipinos and Puerto Ricans were busy rooting for their champions in yesterday’s fight, so were cybercriminals who wished to capitalize on the match. Through SEO poisoning, users searching for a live stream of the Pacquiao vs Cotto fight were instead served a FAKEAV variant.

According to Threat Response Engineer Jasper Manuel, search results led to the download of TROJ_FAKEAV.MAN. Clicking the link displays the following image:

Users who are interested in watching Pacquaio’s upcoming fights (i.e., with Mayweather) are advised to stay away from suspicious-looking links. Trend Micro Smart Protection Network™ blocks user access to malicious URLs and detects the said FAKEAV.

When BREDOLAB entered the threat landscape several months ago, it was initially thought of as a common downloader (that downloads executable files) designed for malware infection only. However, Trend Micro researchers noticed a sudden increase in its activities in August 2009. This pushed our researchers to delve more into the inner workings and behaviors of BREDOLAB.

Our analysis then observed BREDOLAB’s connections to two notorious malware families, FAKEAV and ZBOT/ZeuS. The samples always include the aforementioned malware in its download repertoire. Adding BREDOLAB to their long lists of carriers, these malware families mostly focused on information and financial theft.

BREDOLAB also exhibited certain similarities with another well-known botnet, PUSHDO in terms of downloading routine. This led our threat researchers to believe that the cybercriminals behind PUSHDO and BREDOLAB are the same.

Trend Micro’s Senior Threat Researcher David Sancho has written an in-depth analysis on this new threat. Read it here: You Scratch My Back…BREDOLAB’s Sudden Rise in Prominence.

Brazilian banks are once again in the hotseat as a banking Trojan emerges with a new technique. This time, the cybercriminals targeting these banks are using GMER, a popular anti-rootkit application. Trend Micro detects this banking Trojan as TROJ_DLOAD.BB. Upon execution, this Trojan downloads a legitimate copy of GMER and a malicious rootkit component detected as TROJ_DAMMI.AB.

TROJ_DLOAD.BB creates a batch file that terminates the processes related to the G-Buster Browser Defense, a security program used by many Brazilian banks as protection from information theft and as protection of customers’ privacy during online transactions. Without this application, the information relayed in these transactions may be exposed to malicious users and can be used for fraudulent activities later on.

The batch file created by TROJ_DLOAD.BB uses GMER’s -killfile option, TROJ_DLOAD.BB terminates GBPlugin and its components. TROJ_DAMMI.AB is then rendered as a rootkit and service to make sure that any instance of GBPlugin is terminated.

Trend Micro protects users via its Trend Micro Smart Protection Network that already blocks the download URLs and detects the related malicious files. Non-Trend Micro users can use HouseCall, Trend Micro’s free scanner for identifying and removing malware.

Update as of 20 October 2009, 17:00

Aviv Raff, one of our partners from RSA, confirmed this kind of approach that cybercriminals use in malicious routines. He stated that GMER is not the only malware removal tool utilized by cybercriminals. Another tool, called The Avenger, has been used to terminate GBPlugin. The Avenger is the work of a security researcher who uses the alias Swandog46. As his website states, The Avenger is a powerful program, which doesn’t make it hard to imagine the tool being misused. And true enough, the cybercriminals did.

Cybercriminals leveraged on the tropical storm, Ondoy (International name: Ketsana) that hit the Philippines and killed around 140 people. Senior Threat Analyst Joseph Pacamarra found several malicious sites that appeared each time the users search the strings, “manila flood,” “Ondoy Typhoon,” and “Philippines Flood,” among others. The said sites emerged as one of the top search results.

Once the user clicks the URL, they will be redirected to several landing pages where they are asked to download an EXE file, soft_207.exe. Trend Micro detects it as TROJ_FAKEAV.BND. This attack does GeoIP checks, which mean it only targets specific regions or location (one of the landing sites is hxxp://{BLOCKED}uterbestscan11.com/scan1/geoip.php).

Figure 1. Screenshot of the malicious search result

Figure 2. The EXE file that users need to download

“Cybercriminals heartlessly exploited the calamity that unfolded in the Philippines. They rigged multiple URLs related to this news to point unknowing users to FAKEAV. Such SEO poisoning campaigns attract users all over the Web especially those who are trying to get information about their loved ones and fellow countrymen in the Philippines,” Pacamarra said.

Although riding on tragic events is not exactly new, what is notable is it employed once again blackhat SEO to lead users to a FAKEAV as we had previously discussed here.

Users are advised to be wary in clicking any URLs. Trend Micro protects users from this attack via its Trend Micro Smart Protection Network as it blocks all URLs and detects the said FAKEAV.

Trend Micro researchers were alerted of blackhat SEO campaigns that led to FAKEAV or rogue antivirus. The cybercriminals behind these attacks hitchhiked on high profile news like the recent death of Patrick Swayze, Kanye West’s infamous interruption on MTV VMA awards, and the death of Yale student Anne Le.

Upon further analysis, our researchers discovered that the poisoned keywords are not only limited to recent events. According to Advanced Threats Researcher Joey Costoya, there are many hijacked search items that point to FAKEAV.

Here are some of the search terms:

• Act Registration
• Alan Thicke
• Archer FX
• Archer Fx
• Beaches Movie
• Cbs Survivor
• Community Imdb
• Community Nbc
• Community Show
• Community Tv
• Delta Smelt
• Dina Meyer
• Divas Live 2009
• Ernie Anastos
• Fx Network
• Gillian Jacobs
• Grandma S Boy
• Huron Ca
• Huron California
• Janet Napolitano
• Joel Mchale
• Kanye West Interruption Video
• Katherine Heigl Baby
• Melinda Loveless
• My Date With The President S Daughter
• Polwizjer
• Ralphie May
• Russell Hantz Oil Company
• San Joaquin Valley
• Sniffish
• Starship Troopers
• The Gang Exploits The Mortgage Crisis
• The Office Gossip
• The Valley Hope Forgot
• Volkswagen L1 Concept

These search strings might be based on Google Trends as it shows the top searches people made in Google. These hijacked search strings are then linked to sites that served FAKEAV.

In addition, the cybercriminals behind such attacks are doing GeoIP checks. If the user sports a US IP address, the FAKEAV sites emerge. Otherwise, accessing the URL will produce an HTTP 404 page. Thus our advice for users from the US which are obviously singled out as the target of these attacks: Be extra careful!!

SEO poisoning is becoming the main contraption of rogue antivirus applications. It often rides on current events as we had blogged before in the following posts:

• FakeAV for 9/11
• California Bush Fires Spark Blackhat SEO Campaigns
• Cory Aquino’s Death Used to Spread Another FAKEAV
• “Solar Eclipse 2009 in America” Leads to FAKEAV
• Blackhat SEO Quick to Abuse Farrah Fawcett Death

Users are advised to be cautious in their Web searches and to visit credible websites only. Trend Micro already blocks and detects all malicious URLs through its Trend Micro Smart Protection Network.