Hackers exploit Oscar film awards to spread scareware

 

Last night saw Kathryn Bigelow’s hard-hitting film “The Hurt Locker”, about a bomb disposal team in Iraq, scoop the major gongs at the Academy Awards. It shouldn’t probably be any surprise to hear that movie buffs around the world used the internet to keep track of who won which Oscars, and – sadly -that hackers would try and exploit the event.

 

Internet users searching for phrases like

Oscars 2010 winners

 

may be putting the security of their computers at risk today, as some of the results returned by search engines can point to malicious webpages.

 

By using SEO (search engine optimisation) techniques, hackers have created webpages that are stuffed with content which appears to be related to the 2010 Oscars, but are really designed to infect your computer.

 

As you can see, information about the Oscars ceremony and award winners has been one of the hottest search topics overnight.

 

Clicking on the dangerous links takes you to a page which pretends to scan your computer for security threats, trying to trick you into downloading malicious code and hand over your credit card details.

 

As Fraser Howard recently described on the SophosLabs blog, victims are redirected a number of times upon visiting from a search engine, before being taken to a webpage hosting a malicious script.

 

Sophos detects the malicious scripts as Mal/FakeAVJs-A, and the fake anti-virus itself as Troj/FakeAV-AXS.

 

Fake anti-virus attacks (also known as scareware) are nothing new, and it’s very common for hackers to exploit hot topics in an attempt to bring a steady stream of traffic to their infected webpages.

 

By Graham Cluley, Sophos

Bogus Sponsored Link Leads to FAKEAV

Apart from SEO poisoning, cybercriminals have found another avenue to proliferate FAKEAV malware—bogus sponsored links (sitio patrocinados in Spanish). Just recently, Trend Micro researchers were alerted to malicious search engine ads that appeared in Microsoft’s Bing and AltaVista, among others, when a user searches the string “malwarebytes.” (Malwarebytes is a free antivirus product, but of course, not a FakeAV.) Clicking the malicious URL points the user to an executable file named MalwareRemovalBot.exe-1 (detected by Trend Micro as TROJ_FAKEAV.DMZ).

 

Figure 1. Malicious banner ad on Bing

Figure 2. Malicious banner ad on AltaVista

Upon execution, the rogue antivirus displays false information that the system is infected with files that do not even exist.

Figure 3. Fake scan results

In the past, cybercriminals employed the same tactic when it hitchhiked on Trend Micro. Some Google searches then showed banner ads that led to a fraudulent Trend Micro website.

 

Though the ads may not appear in all regions, all users are still strongly advised to be extra careful when clicking links in search engines. Users connected to the Trend Micro Smart Protection Network are protected from this attack as it detects and blocks all malicious URLs.

 

 

by Erika Mendoza (Threat Response Engineer) at Trendmicro.com

 

Pick Your Poison: KOOBFACE or FAKEAV?

The Koobface botnet is widely known to install FAKEAV or rogue antivirus malware onto a victim’s PC. It has a dedicated component which actually installs the FAKEAV onto the user’s system. However, the Koobface gang has added a new twist to its fake Facebook page.

 

When the user closes the window/tab with the fake Facebook page, a popup window appears. Whatever button the user clicks, this new Koobface variant is downloaded onto the affected system. Here’s a video that illustrates this behavior:

 

This is the script used by cybercriminals to perform this new routine; it only works for users who used Internet Explorer to visit the fake page:

 

Figure 1. Koobface Script

 

The scripts above leaves the user with very little choice – closing the browser window downloads a FakeAV variant (detected as TROJ_FAKEAV.FGR), while clicking anywhere on the web page will download a Koobface loader (detected as WORM_KOOBFACE.AZ).