One of the primary methods for delivering rogue anti-virus products – products that pretend to be legitimate anti-malware, but are really trojans – has long been via search engine poisoning. This involves compromising a legitimate site or creating a new malicious site, and then engineering the search engines to return the site high on their results pages. Google and Bing are frequently used. The ‘con’ depends upon users’ inherent trust of the search engines: if they say ‘go to this site’, users tend to go to that site without considering that it might be malicious.
The user then receives a false scan. It pretends to be a legitimate anti-malware scan that has found viruses on the user's computer, and offers to clean them. But if the user accepts the ‘offer’, all that happens is that he covertly installs a malicious trojan.
The latest development noted by GFI continues this theme of trust in the search giants. The false scan is claimed to be initiated by Google itself, but is otherwise fairly typical. A message appears saying “Google systems have detected unusual traffic from your computer. Please check you PC on viruses. To continue, please download and install our antivirus software.” This is followed by a download button, followed by the standard warning: “or our system will block your access to Google services.” (Notice the grammatical errors, also a fairly typical indication of malware.)
“Despite the best efforts of the whole industry,” GFI senior threat researcher Chris Boyd told Infosecurity, “malware writers continue to innovate and pose a genuine, high-risk threat to consumers and business users with these fake apps and convincing web-based simulated scans.” This one attempts to install Trojan.Win32.Fakeav.tri. “This latest scam illustrates how devious rogue AV threats are becoming, and highlight the Importance of frequent definition updates, paired with strict web filtering technology to block the majority of rogue sites before they even get near the client.”