Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Sheryll Tiauzon (Advanced Threats Researcher)

    It seems that cybercriminals use every bit of news or information worthy of public interest to spread FAKEAV malware. This time around, FAKEAV binaries are being delivered via news about the recently concluded “2010 Kids’ Choice Awards.” The following keywords lead to poisoned Google search results (see Figure 1):

    • Kids Choice Awards 2010 Live
    • Kids Choice Awards 2010 Air Date
    • Kids Choice Awards 2010 Date
    • Kids Choice Awards 2010 Logo
    • Kids Choice Awards 2010 Performances
    • Kids Choice Awards 2010 Performers
    • Kids Choice Awards 2010 Vote
    • Kids Choice Awards 2010 Sweepstakes
    Click for larger image

    Clicking poisoned links leads users to a fake antivirus alert asking them if they want to protect their systems (see Figure 2).

    Click for larger image

    Users who choose the “recommended” option are then prompted to download the actual FAKEAV executable file detected by Trend Micro as TROJ_FRAUDLO.IA (see Figure 3).

    Click for larger image

    TrendLabs advises users to be extremely careful, as this particular blackhat search engine optimization (SEO) attack targets younger audiences. Younger users are more likely to believe fake antivirus warnings are real, increasing risks of infection. This is not the only attack targeting sites that may be visited by younger users, however. As the website of the talent show, If I Can Dream,” was recently defaced although no malicious payloads were seen in the said attack.

    Trend Micro product users are protected by Smart Protection Network™, which prevents the download of the malicious files onto systems via the Web and file reputation services.


    For cybercriminals, another celebrity’s death means a new life for their scams. Earlier today, we discovered new FAKEAV variants that take advantage of the death of the former Canadian teen idol, Corey Haim.

    Using blackhat search engine optimization (SEO) techniques, a simple Google search for news on Corey Haim’s funeral gives out malicious links in the top search results, which redirect users to sites that eventually lead to the download of a FAKEAV.

    Click for larger view

    A fake scan page convinces users that their computers were affected by several harmful files and that they should download and install the fake antivirus application.

    Click for larger view Click for larger view

    Trend Micro detects the downloaded file as TROJ_FAKEAV.DBB. After installation, the program loads a scan page with fake scan results and offers to remove the harmful files from the users’ machines.

    Click for larger view Click for larger view

    There is, of course, a slight catch since the product requires activation. We advise users to be wary of such tactics since they may unwillingly divulge sensitive information. In this case, the attackers ask for credit card information.

    Click for larger view Click for larger view

    Trend Micro™ Smart Protection Network™ protects customers from this threat by blocking user access to the malicious websites that host the malicious FAKEAV file. It also detects and prevents the download of TROJ_FAKEAV.DBB via the file reputation service.


    It seems that fans around the world are not the only ones who are hooked on the Oscars. Just a day after this year’s Academy Awards, Trend Micro threat researchers found FAKEAV variants topbilling the search pages.

    Click for larger view

    This time around, users searching for news on the Oscars fell prey to the latest blackhat search engine optimization (SEO) attack that uses the search terms “oscar winners 2010 live.” Almost 80 percent of the results on the first page alone leads to the download of a FAKEAV binary detected by Trend Micro as TROJ_FAKEAV.ZZH.

    Click for larger view Click for larger view

    The said variant has been observed to connect to a remote website to send and receive information. It is also able to download other malware, including Mal_Xed-22 and TROJ_VUNDO.SMAT.

    With the continued proliferation of blackhat SEO attacks leading to FAKEAV, it is apparent that cybercriminals intend to continue riding on top Web searches. Users are thus reminded to exercise extreme caution when visiting sites, especially with the Oscar fever still running high.

    Trend Micro™ Smart Protection Network™ protects customers from this and similar threats by blocking user access to all related malicious sites via the Web reputation service. It also detects and prevents the download of TROJ_FAKEAV.ZZH, Mal_Xed-22, and TROJ_VUNDO.SMAT via the file reputation service.

    Non-Trend Micro product users can also stay protected from such threats via free tools like Web Protection Add-On, which prevents user access to potential malicious websites.


    I’m pretty sure most, if not all, of us have already heard about the phenomenal pay-to-play MMORPG called “World of Warcraft”. With over 8 million subscribers worldwide and more than 2 million in just the United states alone. Well, upon seeing these numbers it wouldn’t be a surprise to learn that Malware authors have taken advantage of the games popularity to spread some other malware cheer.

    Just recently another set of websites have been found to contain variants of TSPY_WOW and TROJ_ANICMOO.AX. TSPY_WOW variants are basically known to monitor users internet browsing activities as well as steal information related to the online game World of Warcraft such as usernames and passwords.

    Users should be wary of the sites they visit as they may often look like the official WOW site. Below is a list of domains that were recently verified to host malicious files:



    Over the weekend, we intercepted one particularly typical sample via our honeypots. The file we received was a Rich Text Format (RTF) document. Nothing new you might think and upon initial inspection nothing seemed out of the ordinary. However, further analysis of the file revealed that it actually contained a malicious executable file embedded within the document itslef.

    Trend Micro already detects this as TROJ_ARTIEF.A

    Upon execution of the said file, it drops an HTML component in the Windows TEMP folder. The HTML file is then injected into the process IEXPLORE.EXE so that it is opened in a hidden Internet Explorer window each time the user runs IE.

    It also downloads a file from:


    and saves it to your Windows TEMP folder using the filename UPDATE.EXE. As is uses the Adobe PDF icon, it tricks the user into thinking it is a non-malicious file. It even displays the following error message as part of its ploy.


    Below is a screenshot of the email containing the said attachment:




    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice