Phony AV Now Stalking Google Image Search

By Matthew Hines  |  Posted 2010-01-28 Print this article Print

Proving once again that rogue AV threats are as ubiquitous as any brand of malware campaign out there these days, the phony security programs have now made the leap to Google Image search results.

Rogue AV attackers are sprinkling their wares throughout search results for popular terms including the names of actresses on popular TV shows, experts with Webroot report. The attacks target end users by returning images to Google searches that subsequently point people's browsers toward URLs delivering the fake AV threats.

Someone innocently seeking pictures of an actress who recently joined the cast of the TV show "24" this week may find themselves drawn into a "JavaScript-enabled FakeAlert browser trap" Webroot blogger Andrew Brandt said in a recent post.

Users who get further sucked in by the phony AV attacks may eventually end up with a nasty infection that almost completely disables many basic desktop controls including the ability to right-click with their mouse.

The rogue's behavior on an infected system is "obnoxious in the extreme," Brandt contends.

In addition to changing desktop wallpaper, and negating mouse right click and scroll wheel capability, the infection blocks most Web-based apps and even blocks the Windows Task Manager. To help regain control of their machine the attack then offers users disinfection packages with names like "Total Security" and "Security Tool" for $50-to-$90, which are themselves just further empty threats, the researcher said.

"Each malicious URL we found funnels the browser into the same FakeAlert, which itself leads to the same rogue antivirus product," Brandt reports. "Each time we revisited the site, we ended up with what was essentially the same equally nasty rogue antivirus application, sometimes in a different skin, sometimes with a different name."

Rogue AV attacks are seemingly everywhere stalking users based on fear in the very attacks they seek to perpetuate. When considering that and taking a proverbial snapshot of the overall cyber-crime epidemic, a picture would seem to be worth a thousand words.

Follow eWeek Security Watch on Twitter at: eWeekSecWatch.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to |

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel