Fake AV and swine flu

Filed Under: Malware, SophosLabs

It was inevitable. Rogue security software taking advantage of concerns around Swine flu, sorry, H1N1 influenza A, to infect victims.

Now is not the best time to be using a search engine to find information on the pandemic (at least not without due care). It is common practice for attackers to construct large numbers of sites containing keyword-stuffed pages. These are designed to catch user traffic via search engines, but often, they also contain malicious code. In most cases, the malicious code redirects them to another site where they are exposed to malware.

Earlier on today, I noticed this type of attack using pages designed to catch unwary users searching for "flu fact sheets". The pages are automatically generated, as highlighted by refreshing the page.

Within the page is a malicious script, pro-actively blocked as Mal/FunDF-A. Only if you get to the page via a search engine. The server checks the referrer, omitting the script if you don't arrive by the desired route.

A few moments with any search engine reveals hundreds more pages on the same domain, adopting different themes (from Nat King Cole songs through to facts about meteors).

The purpose of the malicious script is to redirect the victim to another site. In this case, a fake AV delivery site.

Detection for the rogue security software installed from this site has been added as Troj/FakeAV-PV. The relevant domains (associated with the SEO page and the fake AV site) have also been blacklisted.

This is less about H1N1 influenza A focused malware, and more of a general reminder for people to take care when browsing, searching and clicking. Use trusted sources when seeking information on topical or newsworthy items.

,

You might like

About the author

Fraser is one of the Principal Virus Researchers in SophosLabs. He has been working for Sophos since 2006, and his main interest is in web related threats.