Fake Antivirus Attack Not Out

A new case have been observed by Armorize researchers that discovers  a mass malicious code injection on different vulnerable website on internet, Security lab estimate at least 22,400 unique domains are spreading malwares by including a malicious iFrame-code.

Attackers this time didn’t succeed at this operation as they made a mistake by missing to include the tag <script> before the malicious code and this helped  Google to index more than 536,000 compromised  pages as without the simple tag the injected script is executed rather than displayed. However, since then the attackers have fixed the script and Google therefore does not index infected websites any longer.

The script is a modified version of the BlackHole exploit pack which uses Java OBE (Open Business Engine) toolkit to spread exploits and successfully load the malicious executable to victim’s machine, Once a victim follows the malicious Iframe, he will download a JAR file with an encoded URL parameter, and one of the classes of this JAR file will decode this parameter into a clear text URL. The URL will be concatenated with an HTTP GET parameter which will be used in downloading other malicious payload files.

By analyzing the malware researcher found a Fake antivirus with different names that can be executed on several operating systems:  ”XP Security 2012″ for Windows XP, “Vista Antivirus 2012″ for Windows Vista and “Win 7 Antivirus 2012” for Windows 7. Fake antivirus programs have been utilized to trick millions of computer users into paying as much as one hundred dollars for a phony software license. As a result, fake AV software has evolved into one of the most lucrative criminal operations on the Internet.

Usually there are three primary methods to infect users these technique by using social engineering, drive-by-download attacks, and botnets. Here the attack uses drive-by-download attack and social engineering techniques to convince a victim to voluntarily install the fake AV.

To protect yourself against any threat I recommend following the Ten steps to protect Microsoft based system.

Share
You can leave a response, or trackback from your own site.