We have been monitoring several malware campaigns lately and we are noticing the distribution spread from just spam e-mails to social networking sites to search engine sponsored results.
A good example is the CNN Top 10 malspam campaign we exposed yesterday. The e-mail comes off as legit to the average user and leads to infection.
In a malware related google search we entered the search term “CNN Top 10 XP Antivirus” and found a sponsored result for a rogue anti-malware product, Antivirus XP 2008.
Free online check! New Generation.
If we click the link we are taken to a rogue anti-malware site, hxxp://antivirus-xp-2008.net. *Warning* Live malicious site! Proceed at your own risk** It’s appears legit, offers a free scan, and even sports badges from PC Magazine, Sun, Microsoft, Intel. ICSA, Checkmark, and VB100 to keep it looking like a credible site.
If we download the files we get a zip file with 2 files. The files are pretty much undetected across the board because they are so new. We have included the JoeBox Sandbox reports for you to look at.
Antivirus-XP-2008.exe
-> VirusTotal: Result: 6/36 (16.67%) CDFAE03CA18BBAF307A77F9BA2BB7B38
->JoeBox Sandbox: JoeBox Sandbox Report
Update-July-2008.exe
-> VirusTotal: Result: 3/36 (8.34%) 2E3D63ED9BFF383926FBD34449513928
-> JoeBox Sandbox: JoeBox Sandbox Report
*UPDATED 835pm*
Found more sponsored links by simply searching “antivirus software” on Google. Same exact setup on a different domain name hxxp://2008antivirusxp.com.
More results on other search engines (click image for Virustotal results)…
*UPDATED 8-06-08*
Another sponsored link was found for rogue antivirus software on a different domain hxxp://xp-2008.com. This was found by searching ‘antivirus’. This has potential for misleading many people because also searching ‘norton antivirus’, ‘mcafee antivirus’, ‘panda antivirus’, or any other REAL software, will be presented with this advertisement.
