Earlier this week we became aware of YAFAT (yet another fake alert trojan family), this time being distributed via drive-by installs from compromised web sites.
Vulnerable sites are having web pages stuffed with keywords (porn, celebrities, popular snacks) uploaded to them as a means of attracting victims via search engine results. In some cases, the homepage of the compromised site is being modified, appending links to the malicious web page.
The victim is prompted to download and install an executable (install.exe) which is actually a Trojan downloader (detected as Troj/Dloadr-CBA). Take note of the characteristic yellow and black striped icon – I suspect we are going to see a lot of this family over coming weeks.
Once running, install.exe downloads and installs the Winweb Security fake alert malware.
Detection for the Winweb Security malware itself has been added as Troj/FakeAV-GX. As with other fake AV families, it is likely that we will see many variants of this family (in fact, as I write this I see we have already started to see some). So, additional generic detection has been added, and will shortly be published (Mal/FakeAV-O).
Finally, the Winweb Security malware is not in any way related to the legitimate firm WinWeb International Limited. Looking at a news item on their site, it would appear some people are making this mistake.