Conficker Infection Alert!!

With all the hype around Conficker recently, it should come as no surprise that scammers are using this highly publicized threat to attempt to spread more malware. We’ve been seeing spam spreading fake AV malware for quite some time, typically using Critical Microsoft Windows updates as a method to frighten readers into clicking links in the messages. Here is an example from last June:

June sample spam
June sample spam

This past weekend, SophosLabs noticed a new “Conficker” theme in the content of these spam messages. Instead of saying there is a critical windows update that needs to be applied, they say that “your Internet company” believes you to be infected, and to click the link to scan your computer:

April sample spam
April sample spam

These messages were sent via a wide range of IPs, and with varying subject lines typical of botnet generated spam:

Sample spam relays
Sample spam relays

Sample Subject lines

Sample Subject lines

Clicking the link, will again, suggest you are infected via a popup:

Sample fakeav popup
Sample fakeav popup

Followed by the typical fake AV webpage. Interestingly, they have not updated the content on these sites to reflect the Conficker infection:

Sample fake AV page
Sample fake AV page

The fake AV malware hosted on this site is detected as “Mal/FakeAV-AH”, however you would not have even been able to browse to these sites were you behind one of our Sophos Web Appliances, as the domains serving this malware were blocked as “Malware” the day they were registered, or the moment they went online.