With all the hype around Conficker recently, it should come as no surprise that scammers are using this highly publicized threat to attempt to spread more malware. We've been seeing spam spreading fake AV malware for quite some time, typically using Critical Microsoft Windows updates as a method to frighten readers into clicking links in the messages. Here is an example from last June:
June sample spam
This past weekend, SophosLabs noticed a new "Conficker" theme in the content of these spam messages. Instead of saying there is a critical windows update that needs to be applied, they say that "your Internet company" believes you to be infected, and to click the link to scan your computer:
April sample spam
These messages were sent via a wide range of IPs, and with varying subject lines typical of botnet generated spam:
Sample spam relays
- Sample Subject lines
Clicking the link, will again, suggest you are infected via a popup:
Sample fakeav popup
Followed by the typical fake AV webpage. Interestingly, they have not updated the content on these sites to reflect the Conficker infection:
Sample fake AV page
The fake AV malware hosted on this site is detected as "Mal/FakeAV-AH", however you would not have even been able to browse to these sites were you behind one of our Sophos Web Appliances, as the domains serving this malware were blocked as "Malware" the day they were registered, or the moment they went online.
![Password security infomerical leaves Ellen DeGeneres in disbelief.. and it will you too [VIDEO]](http://sophosnews.files.wordpress.com/2013/04/ellen-thumb.jpg?w=75&h=75&crop=1)
![Can multiple moving cursors really hide your password from spyware and peepers? [VIDEO]](http://sophosnews.files.wordpress.com/2013/03/cursors-thumb.jpg?w=75&h=75&crop=1)
