NEWS FROM THE LAB - Monday, October 26, 2009

Rogue AV Uses F-Secure as Bait Posted by WebSecurity @ 06:20 GMT

Lately, we've been tracking SEO attacks directing users to rogue AV sites. We've seen the people behind these attacks poisoning searches for many major world events, and some not-so-major ones as well. So it's kind of amusing — and annoying — to see F-Secure being used as the bait in this kind of thing.

We saw this search result pop up when searching for information about F-Secure:

FS Search

Clicking on the link takes the user on a redirect path as follows:

Redirect Path

After this, the attack follows the usual pattern of warning messages, misleading scan reports and so on:

FS Rogue Image

Just in case it is not obvious, this looks nothing like our products.

Finally, the user is asked to install the following:

FS Rogue Install

Which we detect as Rogue:W32/InternetAntivirus.BG. The detection covers the downloader, the downloaded installer and the main executable.

Nothing really new about this attack. Just a little more personal.

WebSecurity post by — Choon Hong