Malware authors jump on the PIFTS.EXE bandwagon

Filed Under: Malware

It looks like the bad guys are proving that once again they aren't slow to leap on an opportunity.

With parts of the internet flustering over the Symantec / PIFTS.EXE debacle, hackers have set out to poison search engines in an attempt to cash in on unsuspecting computer users.

We're seeing evidence that websites containing malware are showing up in search engine results when people hunt for more information about PIFTS.

Poisoned PIFTS search results

Sophos's WS1000 Web Appliance is already picking up some of these sites as Mal/BadRef-A, and preventing users from accessing them.

The Mal/BadRef-A script redirects to another malicious script (detected by Sophos as Troj/Reffor-A) which then itself redirects to a page detected as Mal/FakeAvJs-A.

That page leads to a fake anti-virus scan (also known as scareware) designed to frighten computer users out of their hard earned cash. It's ironic that a scare about a file in an anti-virus program is leading users to search and visit a page where they will be scammed by a fake anti-virus program.

Ho hum.

A fake anti-virus scan

In a nutshell - be very careful when you search on the internet for information about PIFTS.

Of course, the fake anti-virus scan is not related to Symantec or the PIFTS.EXE file - it's just that the hackers are using the interest surrounding that file at the moment to generate traffic to their dangerous websites.

Clu-blog readers will know that the above scenario is very similar to what we saw being played out in the wake of Error Check System Facebook scare last month.

, , , ,

You might like

About the author

Graham Cluley is an award-winning security blogger, and veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.