Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Norman Ingal (Threat Response Engineer)

    Earlier today, we found that the website of the Amsterdam-based record label Kaiserlabel was compromised and used as a FAKEAV doorway.

    Click for larger view

    The compromised page (shown in Figure 2) was injected with a search engine optimization (SEO) kit leveraging certain topics. In addition, we also found spamdexed content that was specifically prepared for the upcoming Black Friday holiday event in the United States.

    Figure 3 below shows the search keywords used in the compromised page.

    Click for larger view

    Visiting the compromised site leads users to redirection chains similar to previous attacks. We detect the malicious files as TROJ_FAKEAV.SMVK. In addition, the websites that are part of the redirection chain have been blocked. Trend Micro proactively sources and detects these new threats every day, helping protect our product users.


    Recent reports noted the spread of malware targeting multiple computing platforms. In a recent incident, Macs appear to have been specifically hit with a new variant of the KOOBFACE worm family. (KOOBFACE is a notorious family of malware that primarily spreads via social networking sites like Facebook.)

    However, these particular incidents are not actually isolated attacks. Rather, these only form the tip of the iceberg of several attacks involving compromised and malicious sites. Cybercriminals are increasingly making browser and OS detection part of their standard attacks.

    The malicious sites, payloads, and redirection chains change on a daily basis. Let’s look at one of the malicious sites we recently saw:

    The code itself is reasonably simple—it sends users to various malicious sites that vary, depending on what browsers and OSs they run. In this particular attack, Internet Explorer and Firefox users received FAKEAV variants similar to those seen in earlier attacks, as documented in “FAKEAV Update: Java Vulnerabilities and Improved Fake Alerts.”

    Mac and Linux users were sent to the RSS feed of a site scraper. This site appears to periodically capture high-ranking keywords from Google Trends and use one of these keywords as the subject of a new blog post. The “post” contains, among others, high-ranking items from a Google Images search using the captured keywords. It’s possible that the site in question has been “parked” while malware is not being delivered.

    Click for larger view

    Users who didn’t fall into any of these categories proceed along “standard” FAKEAV redirection chains.

    While this particular attack involved only FAKEAV, the particular sites used change on a daily basis. Thus, other malware may be served just as easily to other users. This same technique was used to spread KOOBFACE to Mac users last week. We have also seen it used to deliver other malware families such as:

    • TDSS
    • ZBOT

    While the vast majority of attacks delivered this way still use FAKEAV, the fact that malware families that are part of the traditional botnet business model have picked up these “customized” malware attacks is troubling and points to widespread exploitation down the road.

    Click for larger view

    Users have to be cautious, as these “customized” attacks mean that malicious sites are likely to resemble legitimate ones more easily. Distinguishing legitimate pages from malicious ones by eye will be a challenge. Web blocking will become more important for protecting users, as customized malware attacks allows for even more malicious files to be used in these attacks. This emerging trend in Web threats is one that we will be on the lookout for to help protect users against this latest development.


    There have been recent talks within the security industry about the increasing use of Java vulnerabilities by attackers. Last week, security blogger Brian Krebs noted how Java was being used by exploit packs. Earlier this week, Microsoft also reported what they called an “unprecedented wave” of Java exploits.

    This is something we’ve been seeing as well. FAKEAV doorway pages (a concept previously discussed in “Doorway Pages and Other FAKEAV Stealth Tactics”) are increasingly using Java vulnerabilities. In cases where these vulnerabilities cannot be exploited, PDF exploits are used instead. We detect the said Java and PDF exploits as JAVA_LOADER.HLL and TROJ_PIDIEF.HLL respectively.

    Click for larger view Click for larger view

    Two vulnerabilities we have seen heavily exploited in particular in this manner are:

    Given how widespread the FAKEAV problem is, it shouldn’t be a surprise that it’s showing up on everyone’s radar. If a significant percentage of FAKEAV pages start using Java vulnerabilities, given how many FAKEAV pages there are, it will not go unnoticed.

    This isn’t the only way FAKEAV has recently evolved, however. While browser-specific payloads and pages are not new, the pages being served up are more polished than before. Here are samples of two browser-specific pages we saw—one is for Internet Explorer while the other is for Firefox.

    Click for larger view

    Both pages very closely mimic the actual interfaces of the aforementioned browsers. In Firefox’s case, not only did they mimic Mozilla’s site design, they also detected which browser version runs on a particular system. This kind of very specific and well-polished behavior can easily lead users to believe that the alerts they see are legitimate.

    Click for larger view Click for larger view

    As for the fake virus alerts themselves, we’ve seen two developments. Online FAKEAV variants are now very heavily obfuscating their code as well as using AES in order to encrypt their code. Meanwhile, local FAKEAV variants now use audio alerts as part of their behavior. Though the main interface has not really changed, a new “pill” icon has been seen in use.

    Click for larger view Click for larger view

    Taken together, all of these indicates that those behind rogue antivirus software propagation are still honing their techniques even if they’ve somewhat fallen out of the limelight. Trend Micro continuously works to protect users from these threats using the capabilities of the Smart Protection Network™.

    Update as of October 20, 2010, 8:26 AM (UTC – 7)
    Our continuous monitoring of FAKEAV related doorway pages reveal that the malicious URLs that hosted these payloads (the Java and PDF exploit) use either the Seo Sploit Pack or the Phoenix Exploit Pack. Furthermore, the actual payload is not hosted in the doorway pages.

    The final malicious URL is the result of a series of redirections which uses the doorway pages as its starting point. These redirections are frequently changing so determining where the next payload URL will be located is a challenging task.


    Using search engines and watching videos are two of the top Internet activities that users do on a daily basis. In the threat landscape, this usually translates to threats such as blackhat SEO attacks, malicious pages crafted to look like YouTube pages, and, as we recently found out, attacks that use both blackhat SEO and malicious YouTube-like pages.

    In the recent attack that we saw, query results for strings such as videos of reality TV celebrity Teresa Guidice, British actress Holly Davidson, and the BP oil spill were found to initially lead to YouTube-like pages before displaying the all-too-familiar fake malware infection warnings.

    The results are most likely to be compromised sites, all injected with search keywords that will lure users into visiting them.

    Click Click


    Another change that we’ve seen is yet another combination of blackhat SEO and a well-known malware technique. Search results for the string “Mel Gibson tapes” were found redirecting not to pages with fake malware infection warnings, but to a prompt to download an Adobe Flash Player installer:

    The said page may trick the user into thinking that the link that they’ve clicked leads to a video, and that they need to install Adobe Flash Player to view it. According to Threat Response Engineer Marco Dela Vega, who also analyzed this threat, the cybercriminals behind this attack have a keen eye for detail; not only did they use a convincing interface for the fake Adobe installer, they also used a URL that strongly suggests that it is an Adobe-related site.

    This is a very notable change, since blackhat SEO attacks have been known to bring about FAKEAV variants specifically.

    These changes are just a few that we’ve seen. Blackhat SEO attacks no longer just ride on the popularity of big news, as it did before. SEO poisoning attacks are being deployed every day, tainting searches and bringing forth malware.

    For the above-mentioned attacks, the related malware are detected as TROJ_FAKEAV.MVA and WORM_UTOTI.Y respectively.

    Our researchers and engineers have been continuously investigating these attacks and released several reports on their findings:

    With the continuing rampancy of blackhat SEO attacks, users are advised to be extremely cautious when conducting searches.

    Trend MicroTM Smart Protection NetworkTM provides multilayered protection for users when it comes to blackhat SEO attacks, as malicious links and files are blocked and detected by the Web and file reputation services, respectively.

    Update as of July 15, 2010, 10:09 a.m. (UTC)

    WORM_UTOTI.Y has been renamed to TROJ_MONDER.RON.

    Update as of July 16, 2010, 11:01 a.m by Ryan Flores, Advanced Threats Researcher

    From what it looks like, the fake YouTube page redirecting to a FAKEAV page is just a transition period for cybercriminals, from pushing FAKEAV to pushing Trojan downloaders.

    This time, however, though the cybercriminals used a similar ploy described by Norman above, users were not redirected several times but instead asked to download a codec to watch a supposed video:

    The series of redirections ends in a fake online video sharing website (not necessarily a YouTube lookalike), which then attempts to trick the user into downloading and executing a video player (detected by Trend Micro as TROJ_MONDER.AEM).


    Cybercriminals employ different but complementary techniques when it comes to propagating FAKEAV. Ultimately, however, their goal is to entice users to click malicious links that led to the download of different FAKEAV variants.

    Click for larger view

    TrendLabsSM observed that cybercriminals typically employed blackhat engine optimizaton (SEO) to create poisoned pages that serve as  doorways for FAKEAV distribution. These doorway pages, which primarily redirect unknowing users, are cross-linked with other doorway pages and well-known legitimate sites. This technique allows malicious pages to appear as top search results.

    To further entice users to click malicious links, these doorway pages also contain content copied from various other websites. Cybercriminals also leverage trending topics, which can easily be found in Google Trends or through Twitters search page. These doorway pages often use the following format in search results:

    FAKEAV URL pattern

    Doorway pages are frequently contained in individual websites or in compromised Web hosting providers’ sites. Clicking malicious links redirected users several times until they reach a fake scanning page. These redirections help hide the actual URLs of the final landing pages and of the pages hosting the fake scanning results.

    More than simple redirections, however, cybercriminals also use other techniques to redirect users to malicious pages. These include a combination of the following stealth tactics:

    • Geo-targeting or IP delivery, which utilizes a user’s IP address to determine his/her geographic location and to deliver different content specific to his/her location.
    • Blog scraping, which refers to regularly scanning blogs to search for and copy content using an automated software.
    • Referer page-checking, which ensures that only users arriving via search engines will be included in the infection chain and prevents security analysts or system administrators to see anything malicious when they arrive via direct access to a doorway page.
    • User-agent filtering, which refers to distinguishing between browsers to enable the OS-specific download of payloads.

    After successfully employing any of these techniques, cybercriminals then lead users to a page hosting a bogus message prompt. These messages urge users to check the fake scanning results, which have been designed to scare them into purchasing the fake antivirus program.

    Click for larger view Click for larger view

    Through these techniques, FAKEAV has become a recurrent theme in the threat landscape, as evidenced by another FAKEAV variant detected as TROJ_FAKEAV.QIEA. Trend Micro engineer Roland de la Paz notes that this new variant employs the same blackhat search engine optimization (SEO) technique that leverages man’s innate curiosity. As long as users turn to search engines like Google, Yahoo!, and Bing for more information, we can expect cybercriminals to carry on with their effective modus operandi.

    Trend Micro product users need not worry, however, as Smart Protection Network™ already protects them from FAKEAV-related attacks by preventing access to malicious sites and domains via the Web reputation service. It also blocks the download and execution of related malicious files like TROJ_FAKEAV.QIEA on users’ systems.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice