Rogue AV Brings Bad News about Libya and Earthquakes

When it comes to planting malware, the creativity of cyber-crooks seems to be endless. One heavily exploited by the Storm Worm gang, apocalyptic news headlines crawl their way into the rogue antivirus market.

If you’ve been looking for information about the current situation in Libya, you may have stumbled upon a piece of “news” claiming that “Security forces open fire on protesters in Syria, killing at least 20 people. NATO takes command of the no-fly zone in Libya.” This piece of news, although legit, has spawned thousands of pages optimized through black-hat mechanisms to deploy nothing but Rogue Antivirus apps.

Spotted earlier this month, the rogue AV involved in the attack is a spoofed version of a well-known legit antivirus. The infection vector is pretty much similar to what we’ve seen up until now: a poisoned search result leads the user to a domain hosted with free domain provider co.cc. At the other end of the connection, a script checks the referrer to see whether the user comes from a search engine result or not. If they do, they will be redirected to a fake scanner. If not, they are redirected to google.com.

Rogue Antivirus trying to impersonate a legit antivirus solution.

This malware campaign has also been spotted on microblogging social networks where the malicious links have been concealed using short URLs. 

In order to stay safe, we recommend that you pay extra attention on the links you are clicking. If you have BitDefender Internet Security, BitDefender Total Security or BitDefender TrafficLight installed on your computer, then search results will be analyzed and, if malware is found, they get marked as harmful. Also, be careful when downloading applications and, if you need an antivirus, point your browser to your favorite vendor or check out the performance reviews offered by independent testers.