Search for Philippines Tropical Storm Videos Loads Malware

As per Joseph Pacamara, Senior Threat Analyst at Trend Micro, cyber criminals are exploiting the tropical storm 'Ondoy' that wrecked the Philippine Capital on September 26, 2009 by raising the ranking of websites that appear among search results when a user types in key words like "Philippines Flood," "manila flood" and "Ondoy Typhoon," as reported by trendmicro on September 29, 2009.

Cyber criminals have not wasted a single moment since the calamity befallen on people to make maximum of the situation. They developed malicious web pages claiming to have videos of historic disaster. The city of Manila witnessed flood of fake web pages to an extent that has not been seen in decade. Curious surfers are searching for those videos passionately on Goggle and other search engines and following search results which put them in danger of getting infection.

Once a user clicks on the URL, he is redirected to numerous web pages that ask him to download an EXE called soft_207.exe but Trend Micro has detected this file as TROJ_FAKEAV.BND. Another interesting point about the attack its GeoIP checks that make it to target specific location or region.

Furthermore, the user is persuaded to install "Active-X Patch" in order to watch the video which actually lead him to the final payload called fake AV software. During this whole process, the user never gets a notification of antivirus software and he unknowingly installs a malicious file in the computer.

Generally, trojans carry payloads that range from a mildly annoying to irreparably destructive. They also have inherent qualities of modifying the system configuration so that it starts automatically. In some case, mere scanning of affected system by an antivirus solution may not be enough and some intrinsic procedures need to be followed.

Security researchers have stated that this attack resembles to the attack detected in the third week of September 2009 wherein web pages were artificially optimized in PageRank so that they appear among top search results. In one case of that attack, 8 out of 10 results were malicious in nature.

PageRank bombs use Goggle trending topic and it is commonly used by hackers to proliferate malware.

Related article: Surge in Spam attack

» SPAMfighter News - 10/16/2009