While searching for a family member that has recently gotten himself in to trouble with the law, I uncovered more blackhat SEO campaigns redirecting users to install fake anti-malware programs. I only searched their name and came up with a stange domain. Upon searching for just the domain, it uncovered almost 400 results. Each while run javascripts to redirect the user to a number of domains that will then try to socially engineer the installation of the malware. Just from the screenshot below you can see that there are few search terms that may trigger these redirections. Of course, you must click on Google search result for the redirection to work. The pages use referrer to determine which page you came from.
WARNING: URL’s may still be live. Use at your own risk.
Follow below the domains in which you are redirected to the malware site.
Google Search Results
hxxp://tdsdm.net/go.php?id=1326
->hxxp://fra22.net/?pid=3&uid=1001326&abbr=EXAVR
->hxxp://viruscatcher.net/?p=nqd2al6poZ2eXpSWYmNfalin12rZpoi2U8XNx26ZkX%2Bql4malJarcYV3eY2kdQ%3D%3D
or
->hxxp://virusshield-scan.net/?p=nqd2a16poZ2eXpSWYmNfalin12rZpoi2U8XNx26ZkXyrh8SblKZ2gXt1jHyp
This last page will then ‘start a scan’ of your computer and inform you of infections and suggest that you download and install this anti-malware software.
Below is another screenshot this time showing the interface of the Malware Catcher 2009 rogue program. It’s really not too bad for a fake program except for a few issues in the GUI.
Whois of gevitvox.in
Whois of tdsdm.net
Whois of fra22.net
Setup_build7_1001326.exe
Result: 8/40 (20%)
MD5: c063b84024df0b86a016a739479cb1f8
VirusTotal
ThreatExpert
ReleaseXP.exe
Result: 7/40 (17.5%)
MD5: ca0cef8b3f2e9bcf0ad7b625db54bc10
VirusTotal
ThreatExpert
