Search engines are often used by attackers as platforms from which to deliver malicious code. A while ago it was reported that Google was serving up advertisements that led to misleading applications (also known as rogue antispyware products).
This time, the malicious code authors are using “Yahoo! Sponsored Search” listings as a means to promote a misleading product called ”Antivirus & Security.” Antivirus-2009-new.com and Antivirus-pro-download.com are returned in Yahoo! Sponsored Search results as the latest version of AVG antivirus; however, the website actually claims that it is better than AVG and is an alternative to AVG antivirus. The sponsored search result leads to antivirus-2009-new.com and antivirus-pro-download.com, where users are asked to make a payment to buy a membership in order to obtain the product.
Instead of using techniques like search engine optimization (SEO) poisoning to get the opt listing in the search engine results, attackers are using Yahoo’s advertising services to display their advertisement on all websites that display Yahoo’s sponsored search results. Here are some screenshots of the sponsored search results displayed on different websites. The misleading advertisement is circled where applicable.
And, here is the snapshot of the antivirus-2009-new.com homepage:
Here is the snapshot of antivirus-pro-download.com homepage:
What is interesting to note is that these websites aren’t just classic misleading application websites that allow you to download trialware that detects non-existent threats, but are instead websites that are selling memberships. Specifically, the pages state that “all software is freeware and/or shareware” and one is only purchasing “…membership…for unlimited access to…organized website with links to third party freeware and shareware software, technical support, tutorials, and step-by-step guide.”
These misleading websites are not only promoting antivirus products, but they are also promoting some software applications that are free to begin with. There are a number of keywords listed below that have been found to lead users to these misleading websites:
Adobe Flash Player
Free Virus Protection
AVG Free Edition
Users should be aware that the results for keywords returned by search engines can be manipulated. As always, we encourage users to download applications directly from the vendor's website or legitimate partners.
Fortunately, these sponsored listings have since been cleaned up and all websites that display sponsored search results from Yahoo, and no longer appear to be displaying these misleading advertisements. However, links to this website in forum comments and other website pages still can be found. A Yahoo search returned around 9,000 results and a Google search returned around 5,000 results when searching for “antivirus-2009-new.com.” For “antivirus-pro-download.com,” Yahoo returned around 10,000 results and Google returned around 1,650 results.
The whois record for the domain “antivirus-2009-new.com” shows that it was created on 07-Jan-09 and last updated on 23-Jan-09.
Domain Name: ANTIVIRUS-2009-NEW.COM
Created on: 07-Jan-09
Expires on: 07-Jan-10
Last Updated on: 23-Jan-09
The whois record for the domain “antivirus-pro-download.com” shows that it was created on 10-Nov-08.
Domain Name: ANTIVIRUS-PRO-DOWNLOAD.COM
Created on: 10-Nov-08
Expires on: 10-Nov-09
Last Updated on: 10-Nov-08
Symantec customers are protected from these misleading domains via IPS, which will block connections to the misleading domain as HTTP_MISLEADING_APPLICATION.