With all the hype around Conficker recently, it should come as no surprise that scammers are using this highly publicized threat to attempt to spread more malware. We've been seeing spam spreading fake AV malware for quite some time, typically using Critical Microsoft Windows updates as a method to frighten readers into clicking links in the messages. Here is an example from last June:
This past weekend, SophosLabs noticed a new "Conficker" theme in the content of these spam messages. Instead of saying there is a critical windows update that needs to be applied, they say that "your Internet company" believes you to be infected, and to click the link to scan your computer:
These messages were sent via a wide range of IPs, and with varying subject lines typical of botnet generated spam:
- Sample Subject lines
Clicking the link, will again, suggest you are infected via a popup:
Followed by the typical fake AV webpage. Interestingly, they have not updated the content on these sites to reflect the Conficker infection:
The fake AV malware hosted on this site is detected as "Mal/FakeAV-AH", however you would not have even been able to browse to these sites were you behind one of our Sophos Web Appliances, as the domains serving this malware were blocked as "Malware" the day they were registered, or the moment they went online.