Rogue AV using Search Engine Optimization (Nov 3, 2009)


Rogue AntiVirus software is defined as malicious piece of code that deceives users into paying for removal of fake viruses that it generates alerts for. SonicWALL UTM Research team published an alert describing various variants of Rogue AntiVirus that we saw back in August, 2009 – LINK.

Rogue AntiVirus authors have used various social engineering techniques in order to spread the malware and infect the users. Some of the techniques are listed below:

  • Drive-by downloads via infected websites or dedicated malicious websites
  • Free online scanning service
  • Software shared via P2P network
  • Archive File attached in the e-mail
  • Fake codec required to play certain video

Latest example of SEO leading to the drive-by download malicious website is shown below:

Search for “invisible extended hearing aids” in Google search engine and the very first result of the search leads you to a Rogue AntiVirus drive-by download website:


Note that the website seems to be compromized and is being used without victim’s knowledge for malicious purposes. Google does a good job of removing such links from their indexes as soon as they find out but it usually takes more than a day which is enough for the Rogue AV authors to infect multiple users.

If the user clicks on the link above, it redirects them to a malicious site that generates a fake infection alert and runs the fake AntiVirus scan animation:



This leads to the download of a malicious executable file “install14300.exe” that compromises the victim machine.

SonicWALL Gateway AntiVirus provides protection against above threat via GAV: FakeAV#html_3 (Trojan) and GAV: TDSS.AA_11 (Trojan) signatures

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.