Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Icelandic Volcano Erupts, Fake Antivirus Spews Forth

Created: 22 Mar 2010 15:23:04 GMT • Updated: 23 Jan 2014 18:28:48 GMT
Hon Lau's picture
0 0 Votes
Login to vote

Yesterday there was a volcanic eruption in Iceland near the Eyjafjallajoekull glacier that has led the Icelandic authorities to declare a state of emergency in southern Iceland. People living nearby have been evacuated in case of glacial melt water flooding and the airspace near the now active volcano is effectively closed off.  As you have probably already guessed, any event that commands a high level of public interest will be pounced on quickly by the makers of fake antivirus software in order to make a quick buck. This incident is no exception.

Web searches for subjects relating to this eruption, such as "Iceland Volcanic Eruption" or "Iceland Volcano," will return results that may include dozens of hacked websites. It is not that difficult to spot the hacked sites with the fake antivirus redirection in the search results. Generally, you should look for a pattern like this:

[LEGITIMATE DOMAIN]/[RANDOM STRING].php?[RANDOM PARAMETERS]

A reasonable rule of thumb I like to use in conjunction with this pattern is to look for domain names that suggest content unrelated to the news being searched for. For example, if you find a website with a domain name that suggests it is about a painter or British castles, yet it appears in the search results for a story about the volcanic eruption, it is likely that the link is bogus and should be avoided.

On the subject of hacked websites, it appears that the crew behind this campaign has a back catalogue of hacked sites they can call up and use at very short notice. On looking closer at the hacked sites, you will find that it looks like each of them has had a few hundred randomly named PHP pages added to them. Each of these pages redirects to a single server that is changed periodically. The following is a short list of some example PHP files that have been added to the hacked servers:


  • amvud.php
  • anbzj.php
  • bvaff.php
  • ccxkn.php
  • cidnu.php
  • cwpwb.php
  • czws.php
  • dplov.php
  • ekjoo.php
  • fghja.php
  • hkopl.php
  • hnzjw.php
  • ibuhh.php
  • ihqro.php
  • jczws.php
  • jlmw.php
  • jqcah.php
  • mkfvl.php
  • ngunu.php
  • nzjnl.php
  • ptrfv.php
  • pyowm.php
  • qbtmn.php
  • qucud.php
  • socmw.php
  • teqgl.php
  • thgpf.php
  • tkxgk.php
  • tvxyj.php
  • urgle.php
  • wfnfv.php
  • wlclk.php
  • wqeoe.php
  • xngus.php

The pages at the time of writing were redirecting to wxb0tr.xorg.pl, which in turn redirects to www1.nemocure-forthispc.in and www1.bidat-safezonefor-all.in. Sometimes, probably when the crew is performing maintenance, the site redirects to a legitimate website.

Note the Indian top-level domain—is India the new China? After the recent crackdown on Chinese domain registrations and talk of tightening up in Russia, malware makers are probably looking to other TLDs that are less stringent in their application process.

When the end of the redirection chain is reached, you will see a "Green Ring of Death" that indicates that a fake online antivirus scan is about to begin.

The sites have a series of fake scan pages, which can be displayed at random. The fake scan pages are designed to look like the application windows in various versions of Microsoft Windows, including Windows XP and Windows Vista.

After the fake scan is completed, or if you try to navigate away, you will be offered a download of a file named packupdate_build[RANDOM NUMBER]_195.exe. This familiar campaign is the handiwork of the same gang that brought you fake antivirus products during the Chilean earthquake and the iPad release campaign, as well as many other times in the past.

Users of Symantec products will be glad to hear that they are already protected. The fake antivirus Web page is blocked by our products with IPS protection as HTTP FakeAV Redirect Request, so users will not even see the fake scanner page. The file offered for download is already detected as VirusDoctor.