A piece of fake anti-virus scareware, Antivirus 8, has been
infecting computers via ICQ in recent days according
to Roel Schouwenberg at Securelist.
What makes this fake antivirus popup intriguing is that it appears infecting
users who are not actively using their computer.
While most fake antivirus infections result from users
actively browsing the web and interacting with infected sites, research has
shown that Antivirus 8 is being served to users when ICQ fetches and displays
new advertisements. So, the legitimate advertisement still appears, but it
instructs a second window to open with Antivirus 8.
At first it appears as if the server used by the company behind
the ad was hacked, upon closer examination Schouwenberg discovered that none of
the servers other than Charltterusse.com are actually related to the products advertised.
What this means is that a hacker went to the trouble of masquerading as the
company to ensure that the ad distributor would run the scareware campaign.
More interesting yet is that the fraudsters make it appear
as if their server was compromised. This allows the hackers to claim they are
not responsible for spreading the malware, which is likely to result in them
receiving only a warning from the ad distributor, and will ultimately allow
them to run the scam at least one more time.
Schouwenberg claims there is a discrepancy between the
attack’s complexity and the fact that it isn’t serving exploits. As far as he
can tell, the fake AV promotion is using only social engineering, but this isn’t
indicative of similarly clever attacks. While he has no way of proving it,
Schouwenberg speculates that this evidences the working of an underground
economy where one entity maintains the malware/site and another ensures the
site receives ample traffic by serving the malware through ICQ.
“This is another example
of how trusted programs can be a used to attack computers,” says Schouwenberg. “It
goes to show that anti-malware protection is needed no matter what the