The first article of this blog series provided an introduction to rogue applications that parade as fake antivirus scanners and/or fake “system cleaners.” Once installed, these misleading applications attempt to scare the user into believing that his or her computer is infected with dozens or more threats. This is done using constant pop-ups, task bar notification icons, etc. These apps usually start off with a fake scan of the system and then proceed to report non-existent threats on the system. The goal here is to try to lure the user into buying the fake product, which promises to clean up all of those made-up threats.
Today, I’m going to continue discussing the ways in which malicious applications make it onto a victim’s system. In this article I will show you the distribution vectors for fake scanner Web pages.
Fake scanner Web pages
These present yet another way for a computer to become infected with misleading applications:
Fake scanner pages are Web pages that are designed to look and feel like an antivirus scanner. These types of pages normally simulate system scans and alert the user to the presence of threats, which are actually non-existent. They also use various social engineering tactics such as throwing up “alert and confirm” boxes when the user navigates to different pages. Again, the ultimate goal for these pages is to coerce the user to directly download the misleading application.
We have seen some fake scanner pages using innovative social engineering strategies. For example, we observed one scanner Web page positioning itself as a “pornographic image scanner.” The Web page pretended to scan the system for questionable images, and then displayed pre-stocked pornographic images that it claimed were found on the system. It then prompted the user to download the misleading application in order to delete these images:
Methods of distributing fake scanner Web pages
These are malicious ads—usually in the form of “flash” ads—that redirect the user to fake scan Web pages. Mainstream websites, as well as less reputable sites, are susceptible to such “malvertisements.” Since the administrator of the website doesn’t normally have control over what ads are shown, and advertising networks provide varying degrees of screening ads, it is no surprise that malvertisements continue to spread malicious content, including misleading applications, every day. We continually see reports of users complaining about being on a reputable news site or forum and all of a sudden receiving a misleading application pop-up that tells them they are infected.
Malicious links to fake scanner pages are also distributed via instant messaging spam and email spam messages, using campaign slogans like “scan your system now” with a link to the fake scanner page. In addition, attackers often use blog spam to distribute these URLs.
Hijacked Search Engine Results
Lately we have observed an increase in redirections to fake scan websites from search engine results. We have seen reports of hackers taking ownership of a Web server’s configuration files and changing them in order to redirect users to fake scan websites.
By appending an additional RewriteCond line to the Web server configuration file, the hacker can redirect all traffic coming to the website from popular search engines to a fake scan webpage. Not only is the user at risk here, but the website owner loses revenue due to a decrease in traffic to the website.
You may be wondering how a user with malicious intent gets his or her hands on these Trojans, fake codecs, and fake scanner URLs. Please keep an eye open for the concluding part 3 of this series, when I will provide a breakdown of the models of distribution and payment that exist in the online underground economy.