Big Fake-AV Attack Rolls On...

April 24, 2012 - By Chris Larsen

Another item in the post-vacation queue for the blog is an update on the big Fake AV attack we posted about at the beginning of the month.

From last Friday's logs, I pulled data on one sample server. Here's what it had been up to:

- 2400+ URLs in the week from 4/13 (when it joined the attack) to 4/20.

- 63 different "sibling sites" (on various creatively named .info domains)

- We had blocked 1900+ URLs via our Background Checker module, and another 500 or so requests via our Shady-EXE detector.

(Since Friday, another 24 sibling sites have been hosted there, and the blocked URL count is approaching 2800.)


I traced a dozen or so individual attack chains last Friday, and all but one looked like classic SEP (Search Engine Poisoning) attacks, either leading directly to Google and Bing search result pages, or to obvious SEP link-farms.

The single exception I noticed was a hacked-site attack, where a legitimate page on included a link to a 1x1 pixel image file located on a shady site ( which relayed the would-be victim to the malware site that we blocked.


Then yesterday, I had an up-close encounter with this same attack (on a different server), when one of the other engineers said, "Hey Chris, let me show you what my wife and I ran into this weekend."

He explained that his wife was thinking of changing jobs, and wanted to write a polite and proper letter of resignation. So he helped her search for "resignation letter form" on Google:

screenshot of sample google search, highlighting image search section


I highlighted the "Images for resignation letter form" section in red,  since that's what caught his eye -- wow, lots of sample letters right there waiting to be viewed!

So he clicked on the "Images..." link, and then clicked on the first sample letter:

screenshot of google image search results


Unfortunately, that first sample letter image had actually been planted on a hacked site (so that Google would be more trusting of it, and be willing to place it highly in the image search results), as part of this SEP attack.

Clicking it brought up a very brief view of the sample letter image (probably less than a second) before his browser was whisked away to the attack page, which informed him that a nasty virus had been detected on his computer. Luckily, this site (one of the .info domain names characteristic of this attack) had a free tool he could download to automatically clean up the problem! (He was smart enough not to proceed with the download.)

I thought the SEP link that fooled Google was interesting:

since .JPG files are not typically stored in a /css/ directory.


(Today when I re-checked, the poisoned image is still there in the search results, but I was routed to a Bing search results page when I clicked it.)


Anyway, I informed my co-worker that "sample letters" was a common topic for SEP attackers to target (as detailed in part four of our recent SEP blog posts, down near the bottom; there is also a post on "Image SEP" attacks in part six of that series).

So he shouldn't feel bad; even a smart user, who's very aware of malware issues, can still be fooled by an SEP attack, especially when there's nothing obvious amiss with the name of the hacked domain, and the image itself is completely valid in its own right....