Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Cybercriminals take the low road once again as they pepper the Internet with blackhat SEO links that are likely to attract users searching for news about the death of Charlie’s Angels star Farrah Fawcett, who, at age 62, finally ended a long struggle with cancer.

    Figure 1. Blackhat SEO links for Farrah Fawcett searches sets in

    Hosted on is-the-boss domains (last seen in the H1N1 blackhat SEO attack), the links that come up in search results redirect to other URLs that eventually land on all-too-familiar territory: a rogue antivirus download.

    In one specific infection chain traced by Research Manager Ivan Macalintal, the initial link redirects to another URL in the same domain, and then redirects another URL that has referrer checks before unfolding its contents. This is an evasion technique used by cybercriminals to avoid analysis by security researchers or being crawled (and rated) by search engines.

    Once the requester is cleared, the URL redirects to two more URLs before finally landing on a download page (within a certain thesecuritytools domain–now blocked by Trend Micro). The page downloads install.exe, which is a rogue antivirus detected as TROJ_FAKEAV.BBM.

    As this report is being written our engineers are analyzing the behavior of this malware. Trend Micro Smart Protection Network already blocks malicious URLs related to this attack.

    Not long after news of Farrah Fawcett’s passing hit mainstream news, singer/entertainer Michael Jackson likewise meets an untimely death. Users are advised to exercise extreme caution in searching for related news and information surrounding the deaths of these celebrities.

    One of the more famous blackhat SEO manipulation attack we have documented thus far include the attack that happened shortly after Heath Ledger’s death.

    Update (2:30 am (UTC-7)): TROJ_FAKEAV.BBM behaves fairly similarly to other rogue antivirus we’ve seen to date. Here’s a screenshot of its “scanning window”:

    TROJ_FAKEAV.BBM window
    Figure 2. The rogue antivirus program’s window

    Users who have the misfortune of coming across “System Security Antivirus” are advised to run their legitimate antivirus if this makes an appearance on their system.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice