Blackhat SEO and Fake anti-virus - Like chocolate and peanut butter

Filed Under: Google, Malware, Spam, Video, Vulnerability

Chocolate and peanut butter

It's not exactly a new story that people are being hit hard by fake anti-virus, but I want to draw attention to the sophistication of their software and distribution methods.

Many IT professionals I work with have had to clean up after these infections, and equally as many blame their users for being stupid for getting infected. As a researcher, I know this is not necessarily the case. Certainly, some people make ignorant mistakes clicking links and opening attachments, but many of these attacks are convincing enough that simple computer security advice is not enough to protect users from them.

I just came across another instance of a long running spam campaign pretending to be a message from the user's ISP telling them to run a file from a web link to update their email program settings. The download led to a fake anti-virus variant that was very realistic.

Dear Customer,

This e-mail was sent by CENSORED.com to notify you that we have temporanly prevented access to your account.

We have reasons to beleive that your account may have been accessed by someone else. Please run this file and Follow instructions:

http://ddd33.CENSORED.com/setup.zip

(C) CENSORED.com

This particular payload behaved much more like a real anti-virus product than ever before. It actually detected my installation of Sophos Anti-Virus and prompted me to uninstall it!

Fake AV warning to uninstall Sophos Anti-virus

Most fake anti-virus I have run into is distributed through blackhat SEO poisoning. I recently put together a video showing how scammers are gaming Google and Bing to distribute this malware in ways your users may not expect.

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

Aside from its sophistication in trying to remove our product as well as being distributed through an email, today's sample of fake anti-virus looks and behaves like most others. It has an annoying habit of rebooting your workstation every 15 minutes or so.

To help educate both professionals and end users we have put together some materials on the 10 myths of safe web browsing. This includes some papers, a link to the video above, and a widget you can deploy on your Intranet that helps train users on safer internet usage.

, , , , ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.