Fake AV: A royal wedding present

Posted on April 29, 2011 - 15:29 by imeister

Just like millions of other people around the globe, we at StopBadware woke up today to headlines trumpeting the highlights of the wedding of Prince William and Kate Middleton. It's not just the British who are riveted to this once-in-a-lifetime event: over at Google Trends, "royal wedding coverage" is the number one "Hot search" in the United States right now. Sadly, the fervor the wedding is generating creates a plum opportunity for cybercriminals to deliver malware to unsuspecting Internet users, and, sure enough, they're taking it.

As a quick experiment, we decided to load up Internet Explorer and take a quick look around to see what it would take for a curious searcher to run into a malware distribution point. To show how quickly and effectively we were able to do so, we made a short video:

From a Google Web Search page (note the celebratory Doodle), we entered "royal wedding coverage" into the search bar. Google offers us news, videos, and approximately 41.6 million other results, but let's say the user is interested in pictures. Clicking over to Google Image Search, we see a number of pictures of regal couples. Since everyone's abuzz over the royal bride's gown, we look at the third photo in the lineup, captioned "Royal Wedding Gowns Photos". It's easy not to notice the domain name hosting that image: kiwiblitz dot com. Perhaps it's a bit odd, but not necessarily enough to trigger a user's suspicions. Clicking the image brings us to the familiar Google Image Search frame and what seems to be an empty content frame. All of a sudden, the window closes, and a warning box pops up: "Warning! Your computer contains various signs of viruses and malware programs presence. Your system requires immediate anti viruses check! System Security will perform a quick and free scanning of your PC for viruses and malicious programs."

The rest of the video speaks for itself: it's a classic push for Fake AV, or malware masquerading as security software.

But what happened with that click?

Google Image search identified the image as residing on

http:// www. kiwiblitz. com/gnRoyal-Wedding-Photos/

and loaded that URL in an inline frame. Kiwiblitz appears to be a weekly webcomic, hosted by Dreamhost; we have no reason to believe the site's legitimate owners intended for this URL to exist. Rather, an attacker appears to have exploited a weakness in the site's security model and inserted a redirect for the URL above, pointing the browser to a very different URL (spaces added!):

http:// nyzjgyt .co. cc/?s=sF02xJ%2FCyzHrtd0cW%2BxIuDEqAhS5AX2ob5FOFLZph%2FNw2z18Sf629pF4Z2FqVF1Sgw%3D%3D

nyzjgyt .co. cc is a subdomain of co. cc, a Korean company specializing in offering low-cost bulk registration and redirect services. The subdomain resolved to IP address, hosted by Portlane, a Swedish hosting provider. The request returned the obfuscated JavaScript responsible for closing the search window, "alerting" the user, and displaying the false initial scan. When the false security alert is clicked at the conclusion of the "scan," the browser sends the following HTTP GET request:

http:// nyzjgyt .co. cc/download/?k=sF02xJ%2FCyzDmuN0cW%2BxIuDEuAhXsViiuOZUaE%2BA%2F0v512z8rHvbkpcdwYzJtU

which in turn redirects (302) to the malicious payload:

http:// nyzjgyt .co. cc/file/neon2/SecurityScanner. exe

We submitted the executable to VirusTotal for analysis by automated antivirus engines; only 4 of 42 engines identified the file as a threat. Microsoft's antivirus detection engine reported the file to belong to the Win32/FakeRean family, which disrupts users' ability to browse the web and prompts them relentlessly to "purchase a license" for the Fake AV software. If a user agrees to do so, Internet Explorer will open (with the URL bar conveniently hidden) and load content from the following page:

http:// vupuhuzyniw. com/buy. html

vupuhuzyniw. com was registered yesterday and loads content from, hosted by in Chicago. The registrant purports to be someone in the south of France, though likely this is fake or stolen information. Any users who submit their credit card information into the form on this site at the behest of the Fake AV software are at substantial risk of suffering credit card fraud and identity theft.

Although the payload from this attack can be extremely annoying and costly—it makes the PC all but unusable—this sort of attack is certainly not of the most sophisticated or technically dangerous variety. A user who does not download or run the Fake AV executable does not appear to suffer compromise, and the payload does not appear to exfiltrate user data or install other malware. However, it does highlight the number of stakeholders in the Internet ecosystem with proverbial skin in the game.

We have reported the image search result to Google and are taking steps to notify the parties that appear to be unwitting participants in this scam. As always, we urge all users to exercise caution when searching, even—and especially!—when looking for popular content.

Add new comment

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.