Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Seems like fake AV programs are still everywhere! Just a couple of weeks ago, Halloween costume searchers were targeted by these nasty programs through SEO poisoning. Now I’ve just encountered 2 scenarios resulting to rogue AV downloads, also done through hijacking Google search results:

    In the first scenario, queries for the string refa+zeitaufnahmebogen on the German Google website ( yield suspicious results:

    Figure 1. Search results for refa+zeitaufnahmebogen

    The first result on the query is the URL with the page title “Folie 0.” However, clicking the associated link connects the user to the following rogue AV website that we have all grown so familiar of:

    Figure 2. Rogue AV website displaying fake infection results

    The string refa+zeitaufnahmebogen is related to a German association for work design.

    Using Wireshark, I’ve found that this was achieved through a redirection to yet another URL entirely.

    The rogue AV file is already detected through the Trend Micro Smart Protection Network as TROJ_FAKEAV.WP.

    While the first scenario is more of a targeted attack, this next one proves to aim at a wider range of victims, and timely as well considering the US elections.

    Malicious results were also found generated from queries for the string absentee voting:

    Figure 3. Queries for “absentee voting” show malicious results

    And of course, this is another work of the FakeAV gang. Clicking the result triggers a series of redirections; however the payload, or the fake AV itself, is not there anymore. The downloaded file has the same name, and is also already detected as TROJ_FAKEAV.WP.

    Apparently malicious Rogue AV is not dying out just yet.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    Comments are closed.


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice