Rogue AV using Search Engine Optimization

Rogue AntiVirus software is defined as malicious piece of code that deceives users into paying for removal of fake viruses that it generates alerts for. SonicWALL UTM Research team published an alert describing various variants of Rogue AntiVirus that we saw back in August, 2009 - LINK.

Rogue AntiVirus authors have used various social engineering techniques in order to spread the malware and infect the users. Some of the techniques are listed below:

• Drive-by downloads via infected websites or dedicated malicious websites
• Free online scanning service
• Software shared via P2P network
• Archive File attached in the e-mail
• Fake codec required to play certain video

Latest example of SEO leading to the drive-by download malicious website is shown below:

Search for "invisible extended hearing aids" in Google search engine and the very first result of the search leads you to a Rogue AntiVirus drive-by download website:

Note that the website seems to be compromized and is being used without victim's knowledge for malicious purposes. Google does a good job of removing such links from their indexes as soon as they find out but it usually takes more than a day which is enough for the Rogue AV authors to infect multiple users.

If the user clicks on the link above, it redirects them to a malicious site that generates a fake infection alert and runs the fake AntiVirus scan animation:

This leads to the download of a malicious executable file "install14300.exe" that compromises the victim machine.

SonicWALL Gateway AntiVirus provides protection against above threat via GAV: FakeAV#html_3 (Trojan) and GAV: TDSS.AA_11 (Trojan) signatures