An unfortunate side effect of any news-worthy disasters of the modern day is that a wave of malware will often follow in the virtual world after the initial event in the physical world. The large earthquake (8.3 on the Richter scale) last night recorded off the coast of Western Samoa and the subsequent tsunami that followed caused much destruction and loss of life to the islands near the epicentre of the quake. As with any large scale disasters that quickly become major news events, people want to know what happened and to know that loved ones are safe. The Web, being a major source of information to many people around the world, is one of the first places to see such information-seeking activity. For many people, search engines are the gateway to the masses of information available and because of this, it is also one of the first places to be targeted by malware creators. They waste no time in getting their malicious software and web sites set up and poisoning the Web searches to make sure that their results are returned near the top of the page.
Searches for topics relating to this latest earthquake disaster such as “Western Samoa”, “Earthquake”, or “Tsunami” will return some pages that are bad and attempts to perform fake antivirus scans with the usual offers to clean up your computer for a fee. One such example is shown below:
When the link is followed, it displays several popup windows informing you that your computer is infected:
Since you are not given a choice to say no, the only course of action once this popup appears is to click OK, which then leads to the now all-too-familiar fake Windows scanning page:
The scan inevitably finds a motley collection of security risks and threats that need to be removed. Clicking Remove all then leads to the downloading of a file named setup_build7_195.exe.
Once executed, the bogus software begins to start downloading components and performs another fake scan which eventually reports a whole host of threats that needs fixing.
Notice that the authors of this software have gotten ahead of themselves somewhat, my computer is running in the Classic theme of Windows XP, but yet the window that pops up is a Windows Vista style, not available in XP. This is a potential giveaway that something fishy is afoot.
Activation of the product promises to remove these threats and also relieve you of over a hundred dollars of your hard-earned cash. If you don’t activate the product then you will be constantly nagged with System Tray popups and blacked-out windows warning you of the threats on your computer.
Followers of this blog will no doubt notice the similarities between this attack and many other recent ones such as the spawned by the Serena Williams outburst, and also the Twitter based attacks of a similar nature reported by my colleague Ben a couple of weeks ago. The people behind these attacks are constantly evolving and adapting their attacks to suit current news events so don’t be surprised to see more from this crew. Users of Symantec products are of course already protected as we detect and remove this software as Antivirus 2008.