Posted by: secureitproduct | December 13, 2010

New infections and attack methodology creating industry wide high infection levels

Over the past three weeks, SecurityCoverage has seen a marked increase in spyware and virus attacks.  Over the course of 2010 several new infections of the rogue variety have presented themselves.  As these rogues display themselves to customers as legitimate AV products the creators have chosen to continue to exploit that methodology by releasing their so-called 2011 versions of their “product”.  These infections continue to warn customers that their machine is infected and to be safe the customer should download the 2011 version of the software to be protected.  The leading offender we have seen to date is System Tool which has been prevalent in 2010 and now is coming out as  “System Tool 2011” and is using different code to bypass existing protections in legitimate AV products. 

In addition to the System Tool rogue there is also an infection that is known as ScanDisk (HDDScan).  This infection causes numerous system popups that tell the customer that a disk defragmentation needs to be performed on the machine.  Like other rogues clicking on the pop up takes you to a site to purchase a new disk defragmentation tool.  For more information on this infection please see:

Over the past three weeks the SecureIT Malware Research team has been able to release greater than 300 custom made signatures to combat these infections.  These signatures were created in addition to the approximately 58,200 signatures released as part of our regular release process.  These particular files infect a machine after the end-user has chosen to “run a scan” or make a purchase of AV software offered to them by a rogue AV message usually seen when visiting a website with actively running malicious code.

In general these attacks have been well coordinated to match with Cyber Monday and the higher volume online shopping period surrounding the holidays.  Attacks are even being presented with false ads generated in search engines such as the image below which takes customers directly to a rogue av scan site.

In addition to the tactics mentioned above, Facebook users have also been presented with two post types that entice users to click on links which lead to malicious code being downloaded to their machine.  The first attack method tells the Facebook user they can see who has been viewing their Facebook page (see example).  Clicking on the embedded link starts the infection process.

The second attack method uses messaging similar to the following:

While the message is different the method of attack and entrance to the machine is the same.

All of the above examples of rogues and “false” link attacks are by-passing the AV product on the machine because the user is following the instructions presented by the rogue or link message and inviting the infection into their machine.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: