Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Norman Ingal (Threat Response Engineer)

    News of a performer killer whale allegedly killing its trainer made the headlines this week. Dawn Branchaeu, an animal trainer in SeaWorld Florida, was attacked by one of the trained killer whales last Wednesday. This sad event, unfortunately, paved the way for cybercriminals to distribute another FAKEAV variant.

    With the usual blackhat search engine optimization (SEO) techniques, sites hosting the FAKEAV variant immediately topped search engine results. Users who try to find news on the said incident are led to poisoned results instead. Trend Micro detected the malware as TROJ_FAKEVIME.CJ.

    Click for larger view

    Clicking the malicious search result above redirects users several times until they see the following message:

    Click for larger view

    Click the OK button displays the results of a fake scan with a list of malware that have supposedly infected the system. This prompted users to follow the instructions to remove the said malicious files. However, instead of actually removing them, they instead download a malicious file, (aka TROJ_FAKEVIME.CJ), onto their systems.

    Click for larger view Click for larger view
    Click for larger view

    This Trojan modifies affected systems’ HOSTS files, preventing users from accessing specific websites. It also adds certain strings to Windows HOSTS files, which in turn, redirect users to other possibly malicious sites.

    TROJ_FAKEVIME.CJ, like its predessors, also shows a spoofed warning messages to convince users to avail of a fake antivirus. To learn more about this, you can check out Trend Micro’s findings on predictably unpredictable FAKEAVs.

    Using tragedies, calamities, and other newsworthy incidents to propagate FAKEAV variants is no longer new. Trend Micro has blogged about similar events such as the recent plane crash in Austin, Texas.

    Trend Micro™ Smart Protection Network™ protects customers from this and similar threats by blocking user access to all related malicious sites via the Web reputation service. It also detects and prevents the download of malicious files such as TROJ_FAKEAVIME.CJ via the file reputation service.

    Non-Trend Micro product users can also stay protected from such threats via free tools like Web Protection Add-On, which prevents user access to potential malicious websites.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice