Fake AV, SEO Poisoning Top Malware Threats in April

Attackers increasingly focused on fake antivirus and black-hat SEO techniques to target victims on the Web in April.

The volume of malware continued to increase in April as online scammers and malware distributors took advantage of major events according to security experts. Fake antivirus software and poisoned image search links were particularly prevalent in April.

There were over 73,000 new variants of malware released daily in April, a 26 percent increase over April 2010, GFI Software found in its monthly analysis released May 16. Cyber-criminals exploited several high-profile events, including the U.K. Royal Wedding of Prince William and Kate Middleton, the Easter holiday, the anniversary of Yuri Gagarin becoming the first man in space and the release of President Barack Obama's birth certificate.

Seven of the top 10 malware threats were Trojans, according to GFI's top 10 malware list for the month. Trojan.Win32.Generic!BT, a generic malware classification that encompasses a variety of Trojans, continued to be the biggest threat, accounting for over 20 percent of total malware detected. The Zeus/Spyeye Trojan and fake antivirus were also part of the top 10.

A Trojan exploiting Autorun on Windows PCs continued to make the rounds in April. Microsoft noted in its recent Security Intelligence Report that autorun worms don't affect Windows 7 systems, but unpatched versions of Windows XP remained vulnerable. Microsoft also noted the rise of fake security scareware in its report.

Attackers aggressively pushed fake antivirus software to victims in April, GFI Software found. Users were directed to malicious Websites that purported to contain exclusive content, such as videos and images. Once users were tricked into downloading and installing fake software, the rogue security program claimed to find malware and demanded users upgrade to remove the threats.

Malware writers employ techniques that alter the rogue executable to continuously create new variants within the scareware family, according to Sophos. One such family, called the "Security Tool," produces a different executable nearly every minute, so users hitting the malicious site repeatedly wind up downloading a different sample each time. Many of the fake antivirus programs are essentially the same product but skinned differently and have names that sound similar to legitimate tools, such as "Internet Security 2010," "XP Defender" and "Malware Defense."

While fake antivirus scams for Windows PCs are common, April also saw one masquerading as an antivirus for the Mac OS X that was called MACDefender.

Another popular attack vector in April involved black-hat search-engine optimization techniques. Attackers hijacked legitimate search results with links to malicious pages. In April, poisoned links appeared in searches for printable Easter cards and Royal Wedding coverage. Users searching for video were directed to malicious pages promising streaming video, but in actuality downloading malware (usually fake antivirus) onto the computer, GFI said.

Many of the pages used in SEO-poisoning attacks are hosted within a large number of compromised, legitimate sites, Fraser Howard, a principal virus researcher at Sophos Labs, wrote on the Naked Security blog. Hijacked topics and keywords include "pretty much anything," and range from the "predictable," such as Lady Gaga's shoes and Justin Bieber, to "unusual," such as ancient Inca masks, according to Howard. Many of the SEO-poisoned links point to pages constructed and managed using the Blackhole kit, available for sale on underground forums.

GFI warned that SEO poisoning would remain a big threat in May, with events such as the killing of Osama bin Laden, the Indianapolis 500 auto race, the birthday of the late author Douglas Adams and college graduation season. Any of these events could be prime targets for SEO poisoning and users should be wary of unsolicited emails or Web offers.