Blog Zscaler

Ricevi gli ultimi aggiornamenti dal blog di Zscaler nella tua casella di posta

Iscriviti
Security Research

Fake Antivirus: Your Denylist and Antivirus Do Not Protect You

image
JULIEN SOBRIER
maggio 25, 2010 - 2 Minuti di lettura

We have spent a fair bit of time discussing fake AV pages as they represent approximately 60% of the malicious content associated with Search Engine Optimization (SEO) attacks, according to Google. As shown in past Zscaler blog posts, it is not uncommon for Google to include malicious links in the first 10 pages of search results.

Users can do very little to spot these malicious links. Google shows a warning for only a small percentage of overall results, even days after malicious links first emerge, and antivirus browser plugins such as AVG tend to show such links as safe.
 

Image
AVG plugin shows this link as safe. It is actually a redirection to a fake AV page
 
Browsers include denylists of phishing and malicious sites. Firefox and Chrome use Google SafeBrowsing, while Internet Explorer uses SmartScreen Filter. Everytime the browser loads a URL, the web address is checked against a list of known bad sites to stop the user from going to a malicious destination.
 
Google Safe Browsing has a pretty good history of blocking fake AV domains. We share with then  lists of fake AV pages we discover with Google as we find that they do not block them 100% of the time.
 
Let's look an one example. The terms "marisol terrazas" was very popular on May 19th (she's a singer in the band Los Horoscopos de Durango who got married that day, apparently). On the first result page, all links are malicious! They all redirected to a fake AV page. But Google shows a warning for only two these links. Worse still, my antivirus plugin shows all of them as safe!
 
Image
All the links of the first page are malicious!
 
Fortuantely, 4 these links are currently down. The 6 other links lead to fake AV pages on two different domains: www1.bestdefender-51p.xorg.pl and www1.bestdefender-68p.xorg.pl. Neither Google Safe Browsing on Firefox nor SmatScreen Filter on Internet Explorer 8 blocked any of these fake AV pages.
 
Your antivirus will very likely fail you again when the malicious executable file is downloaded: only 12 out 41 AV vendors find anything malicious, which is still better than the 9 out of 41 I saw earlier, or even 2 out of 41 not long ago.
 
The two malicious domains have been reported to Google and should be blocked on Firefox and Chrome at this time.
 
If you do the same search on Bing, none of the links within the search results are malicious.
 
-- Julien
form submtited
Grazie per aver letto

Questo post è stato utile?

Ricevi gli ultimi aggiornamenti dal blog di Zscaler nella tua casella di posta

Inviando il modulo, si accetta la nostra Informativa sulla privacy.