Tuesday, May 25, 2010

fake Antivirus: your blacklist and antivirus do not protect you

We have spent a fair bit of time discussing fake AV pages as they represent approximately 60% of the malicious content associated with Search Engine Optimization (SEO) attacks, according to Google. As shown in past Zscaler blog posts, it is not uncommon for Google to include malicious links in the first 10 pages of search results.

Users can do very little to spot these malicious links. Google shows a warning for only a small percentage of overall results, even days after malicious links first emerge, and antivirus browser plugins such as AVG tend to show such links as safe.

AVG plugin shows this link as safe. It is actually a redirection to a fake AV page

Browsers include blacklists of phishing and malicious sites. Firefox and Chrome use Google SafeBrowsing, while Internet Explorer uses SmartScreen Filter. Everytime the browser loads a URL, the web address is checked against a list of known bad sites to stop the user from going to a malicious destination.

Google SafeBrowsing has a pretty good history of blacklisting fake AV domains. We share with then  lists of fake AV pages we discover with Google as we find that they do not block them 100% of the time.

Let's look an one example. The terms "marisol terrazas" was very popular on May 19th (she's a singer in the band Los Horoscopos de Durango who got married that day, apparently). On the first result page, all links are malicious! They all redirected to a fake AV page. But Google shows a warning for only two these links. Worse still, my antivirus plugin shows all of them as safe!

All the links of the first page are malicious!

Fortuantely, 4 these links are currently down. The 6 other links lead to fake AV pages on two different domains: www1.bestdefender-51p.xorg.pl and www1.bestdefender-68p.xorg.pl. Neither Google SafeBrowsing on Firefox nor SmatScreen Filter on Internet Explorer 8 blocked any of these fake AV pages.

Your antivirus will very likely fail you again when the malicious executable file is downloaded: only 12 out 41 AV vendors find anything malicious, which is still better than the 9 out of 41 I saw earlier, or even 2 out of 41 not long ago.

The two malicious domains have been reported to Google and should be blocked on Firefox and Chrome at this time.

If you do the same search on Bing, none of the links within the search results are malicious.

-- Julien

No comments: