Blog Zscaler

Recevez les dernières mises à jour du blog de Zscaler dans votre boîte de réception

S'abonner
Security Research

Fake Antivirus: Your Denylist and Antivirus Do Not Protect You

image
JULIEN SOBRIER
mai 25, 2010 - 2 Min de lecture

We have spent a fair bit of time discussing fake AV pages as they represent approximately 60% of the malicious content associated with Search Engine Optimization (SEO) attacks, according to Google. As shown in past Zscaler blog posts, it is not uncommon for Google to include malicious links in the first 10 pages of search results.

Users can do very little to spot these malicious links. Google shows a warning for only a small percentage of overall results, even days after malicious links first emerge, and antivirus browser plugins such as AVG tend to show such links as safe.
 

Image
AVG plugin shows this link as safe. It is actually a redirection to a fake AV page
 
Browsers include denylists of phishing and malicious sites. Firefox and Chrome use Google SafeBrowsing, while Internet Explorer uses SmartScreen Filter. Everytime the browser loads a URL, the web address is checked against a list of known bad sites to stop the user from going to a malicious destination.
 
Google Safe Browsing has a pretty good history of blocking fake AV domains. We share with then  lists of fake AV pages we discover with Google as we find that they do not block them 100% of the time.
 
Let's look an one example. The terms "marisol terrazas" was very popular on May 19th (she's a singer in the band Los Horoscopos de Durango who got married that day, apparently). On the first result page, all links are malicious! They all redirected to a fake AV page. But Google shows a warning for only two these links. Worse still, my antivirus plugin shows all of them as safe!
 
Image
All the links of the first page are malicious!
 
Fortuantely, 4 these links are currently down. The 6 other links lead to fake AV pages on two different domains: www1.bestdefender-51p.xorg.pl and www1.bestdefender-68p.xorg.pl. Neither Google Safe Browsing on Firefox nor SmatScreen Filter on Internet Explorer 8 blocked any of these fake AV pages.
 
Your antivirus will very likely fail you again when the malicious executable file is downloaded: only 12 out 41 AV vendors find anything malicious, which is still better than the 9 out of 41 I saw earlier, or even 2 out of 41 not long ago.
 
The two malicious domains have been reported to Google and should be blocked on Firefox and Chrome at this time.
 
If you do the same search on Bing, none of the links within the search results are malicious.
 
-- Julien
form submtited
Merci d'avoir lu l'article

Cet article a-t-il été utile ?

Recevez les dernières mises à jour du blog de Zscaler dans votre boîte de réception

En envoyant le formulaire, vous acceptez notre politique de confidentialité.