Wednesday, November 30, 2011

From Porn to Fake AV

From Porn to Fake AV
Recently read a post on Kaspersky blog

While looking at this rogue campaign, we noticed the following. A usual fake porn site asking the user to download the fake codec to view the video

 Fake porn site

On their website we saw template background images of AV's such as Avira, Kaspersky and Norton which are used in this campaign.

Unlike old rogue's what we have seen this campaign is a bit different. The malware file (fake codec) doesn't contain any GUI component in it.

You might ask how does it perform a fake/scare scan which is a crucial part of the rogue application. Well, to achieve this the campaign has used a very simple solution. Open Internet explorer and display a webpage, carry on the fake scanning stuff online through this web page.

 The web page opened by the malware uses one of the above mentioned template background image and mimics a scan.

Avira image scan template

Kaspersky image scan template

Norton image scan template

Once the fake scan is complete they use results.php to display the fake infections found on your system.

 Bare scan result without any AV background image

The final step in any rogue campaign is to make the user pay for the junk. Interestingly this campaign doesn't push the user to buy their product. (so far)

 Interesting???


Bharath M N

Posted by Bharath M Narayan at 12:01 AM  

blog comments powered by Disqus
Subscribe to: Post Comments (Atom)