Friday, November 20, 2009

Scareware Taints Chromium OS Searches

Yesterday, Google announced the open source project called Chromium OS, a development phase release of the Google Chrome OS. Blackhats have quickly taken advantage of this announcement, poisoning search results to spread scareware.

Attackers continue to perform Blackhat SEO attacks on Google searches, particularly trending topics. Dangerous results are returned linking the user to Rogue Anti-Virus downloads through a series of scripts and redirects.

The search terms used in this example are "chromium os download", though any combination of terms could return dangerous results. The 5th result in the search below leads to scareware.

Clicking the link takes the user through a series of redirects, ultimately ending up at the distribution point. As with most Rogue AV scams, a fake system scan is performed informing the user their system is virus laden and opening a download to remove the threat.

Even if the user attempts to cancel, the rogue installer starts to download a setup.exe file. The file has low anti-virus detection, as is common with Rogue AV scams and the user is led to believe the download is safe to install.

After a standard installation, the user is now infected with "SecureKeeper". This is a brand new variant first reported by Sunbelt just yesterday. 

After running another fake system scan, the software reports 736 infections and prompts the user to enter a registration key, or purchase the software. Some very scary messages are displayed, warning the user that criminals will gain access to their credit card and personal information.


Warnings will perpetually appear in the system tray, persuading the user to complete the purchase. For just $49.95 USD you can own this piece of malware...

This is a very typical attack that continues to happen all too often. Attackers will regularly change redirect URLs, malware distribution points and final payloads. This allows them to keep PageRank high and evade detection by anti-virus programs and web filters. The sites are further protected by checking the referring site to ensure the infected page can only be accessed from Google search results.

Raising awareness about this type of scam is one of the most effective ways to keep users safe. Other search engines are targeted less by attackers, which may make them safer for the novice user. eSoft tracks attacks on trending topics and is marking any associated sites as malicous.

No comments: