Snickerdoodles and FakeAV

Earlier this week we became aware of YAFAT (yet another fake alert trojan family), this time being distributed via drive-by installs from compromised web sites.

Vulnerable sites are having web pages stuffed with keywords (porn, celebrities, popular snacks) uploaded to them as a means of attracting victims via search engine results. In some cases, the homepage of the compromised site is being modified, appending links to the malicious web page.

[Keyword stuff page uploaded to legitimate site]

Aside from keywords, the malicious pages also contain a heavily obfuscated JavaScript (detected as Mal/ObfJS-AL). The purpose of the script is to silently redirect the user to another URL (which collects referrer and keyword details), from where they are redirected to the fake alert distribution site.

[Alert box]

[Fake online scan]

The victim is prompted to download and install an executable (install.exe) which is actually a Trojan downloader (detected as Troj/Dloadr-CBA). Take note of the characteristic yellow and black striped icon – I suspect we are going to see a lot of this family over coming weeks.

[Characteristic yellow/black icon]

Once running, install.exe downloads and installs the Winweb Security fake alert malware.



Detection for the Winweb Security malware itself has been added as Troj/FakeAV-GX. As with other fake AV families, it is likely that we will see many variants of this family (in fact, as I write this I see we have already started to see some). So, additional generic detection has been added, and will shortly be published (Mal/FakeAV-O).

Finally, the Winweb Security malware is not in any way related to the legitimate firm WinWeb International Limited. Looking at a news item on their site, it would appear some people are making this mistake.