Recently FAKEAV peddlers have fully leveraged blackhat search engine optimization (SEO) tactics to profit from their malicious wares. Targeting millions of fans as potential victims—FAKEAV and blackhat SEO—work hand-in-hand to create a dangerous and all-too-common threat for Web surfers.

1. Web Threat Spotlight
A Web threat is any threat that uses the Internet to facilitate cybercrime.
ISSUE NO. 57
FEBRUARY 15, 2010
Johnny Depp, Bill Cosby, and "Super Bowl 44" Searches Bag FAKEAV
In the past few months, FAKEAV peddlers fully leveraged blackhat search engine optimization (SEO) tactics to profit from their malicious wares.
Targeting millions of fans as potential victims—FAKEAV and blackhat SEO—worked hand-in-hand to create a dangerous but, unfortunately, all-
too-common threat for Web surfers.
The Threat Defined
Blackhat SEO and FAKEAV: New Partners in Cybercrime
2009 saw several FAKEAV variants proliferate online. While we have
seen this kind of threat as early as 2004, last year witnessed its rapid
rise to the list of the most common Web threats.
Blackhat SEO has increasingly become cybercriminals' favorite method
of spreading FAKEAV. Poisoning search results has proven to be a very
effective technique in luring more visitors to click links to malicious sites
that end with the download of FAKEAV, especially since peddling them is
indeed very profitable.
Though other methods of spreading FAKEAV remain in use, blackhat
SEO techniques are particularly dangerous because most if not all
people can potentially become victims just by using search engines. It
has, in fact, become common for cybercriminals to create malicious sites
related to the hottest topics or happenings just to spread various
FAKEAV variants.
This threat was recently highlighted by at least three separate events: Figure 1. Typical blackhat SEO-triggered
FAKEAV infection diagram
 Johnny Depp's supposed death due to a car crash
 The latest season of one of the United State's most popular television show—"Super Bowl 44"
 Bill Cosby's supposed death, which he himself proved to be untrue
These three separate attacks had two major things in common—blackhat SEO and FAKEAV. They all used enticing
search phrases related to the aforementioned events. They leveraged on people's innate curiosity and the
popularity of the two celebrities and the "Super Bowl." Their search results all led to malicious sites where the
following FAKEAV variants were hosted:
 TROJ_DLOADER.GRM (aka Drive Cleaner 2006)
 TROJ_FAKEAL.SMDP (aka Security Antivirus)
Apart from the similarities already stated above, the cybercriminals behind the attacks also had only one thing in
mind—to gain profit.
There was, however, a slight difference between the two variants, too. The first posed as a codec that users needed
to download in order to watch a video of Depp's car crash. The second, on the other hand, used the ever-reliable
but very effective scareware tactic.
How Blackhat SEO Helps Sell FAKEAV
Since blackhat SEO and FAKEAV are likely to stay on for a long time, TrendLabs security specialists analyzed what
made the “blackhat SEO and FAKEAV partnership” work and came up with these results:
 More cybercriminals will utilize "keyword stuffing" or abuse the use of keywords to make their malicious
sites rise to the top of search results for hot topics.
1 of 2 – WEB THREAT SPOTLIGHT

2. Web Threat Spotlight
A Web threat is any threat that uses the Internet to facilitate cybercrime.
 They will also leverage "page stuffing" or hack legitimate sites that appear on top of search results and stuff
them with malicious pages.
 They will also use "farming links" or linked Web pages to increase one another's popularity and link their
malicious sites with these.
 Finally, cybercriminals will continue to develop more effective "cloaking" techniques, leading users to bogus
sites or even fake search engines. Cloaking is a blackhat SEO technique in which the content presented to
the search engine spider is different to that presented to the user's browser.
User Risks and Exposure
The popularity of the Internet in recent years means users are not just more actively searching for information online.
They are also doing so more quickly than ever before. This means that the potential "market" for cybercriminals
peddling their malicious wares to unwary users is also increasing, as more users click links to search results that
lead to the download of rogue antivirus.
The effects of FAKEAV malware have been well documented over the last few months. At the very least, users lose
time by responding to false alerts and closing windows. More directly, however, they can also incur financial losses
if they reveal financial information (e.g., credit card numbers) in malicious sites, believing they are purchasing
legitimate products. While FAKEAV are a lot cheaper compared with commercial antivirus products, ranging from
US$50–70 each—the risk they pose in terms of data theft is greater.
As such, companies must impose stricter security measures to keep themselves safe from these and other kinds of
Web attacks. In today's complex threat landscape, however, installing antivirus applications may no longer be
enough, they need to use more aggressive security solutions and to make their clients/employees more aware of
cybercriminals' ingenious schemes.
Trend Micro Solutions and Recommendations
Trend Micro™ Smart Protection Network™ delivers security infrastructure that is smarter than conventional
approaches. Leveraged across Trend Micro’s solutions and services, Smart Protection Network™ combines unique
in-the-cloud reputation technologies with patent-pending threat correlation technology to immediately and
automatically protect your information wherever you connect.
Smart Protection Network™ protects users from this kind of attack by blocking user access to malicious sites where
FAKEAV may be downloaded with Web reputation service and by detecting and blocking the execution of
TROJ_DLOADER.GRM and TROJ_FAKEAL.SMDP on user systems via file reputation service.
Users can also prevent themselves from becoming victims of similar attacks by avoiding relatively unknown sites
that are likely hosts of FAKEAV variants. While they may rank highly in search results, their URLs, which can be
seen in search results as well, may not be that "familiar." Avoiding such sites and visiting well-known sites with
recognizable domain names instead thus helps them avoid potentially significant losses.
The following posts at the TrendLabs Malware Blog discuss this threat:
http://blog.trendmicro.com/hackers-exploit-actor-johnny-depp%E2%80%99s-death-hoax/
http://blog.trendmicro.com/search-for-news-on-the-super-bowl-and-bill-cosby%E2%80%99s-supposed-death-lead-to-fakeav/
The virus reports are found here:
http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOADER.GRM
http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_FAKEAL.SMDP
Other related posts are found here:
http://blog.trendmicro.com/fakeav-gets-first-dibs-in-profits-from-apple-ipad/
http://blog.trendmicro.com/a-million-search-strings-to-get-infected/
http://blog.trendmicro.com/blackhat-seo-and-fakeav-a-dangerous-tandem/
http://blog.trendmicro.com/rogue-av-scams-result-in-us150m-in-losses/
http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/50_predictably_unpredictable_fakeavs__january_11__2010_.
pdf
http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/trend_micro_2010_future_threat_report_final.pdf
http://blog.trendmicro.com/searches-for-free-printable-items-lead-to-mal-domains/
http://en.wikipedia.org/wiki/Cloaking
http://en.wikipedia.org/wiki/Vundo
2 of 2 – WEB THREAT SPOTLIGHT