I had a chance to come across this fake av when I did google image search a few days back. Unsurprisingly, this Mac fake av does exactly the same way as what Windows fake av did that is it also presents a fake browser page showing the user that their machine has been infected with malware.
When I did a google image search, I opened an image indexed by google in which google will redirect me to a compromised website with a "hidden" (from novice computer user point of view) javascript. After the compromised page is opened, it will immediately redirect user to another page with URL top level domain "cz.cc" which is where the fake av page will be displayed.
Figure 1: Image Indexed by Google
Figure 2: Script Redirection From Compromised Site
Figure 3: Fake AV Scan Result
Immediately after the scan finished, it will prompt a dialog box to ask download and execute the file after user clicked "Remove all" button.
Figure 4: Download Fake AV File
If you are interested a get a registered version of this MacSecurity, you can visit this post from Kaspersky Lab, http://www.securelist.com/en/blog/11252/Mac_Protector_Register_your_copy_now where you can get a list of valid license key!
Figure 5: Fake AV Scanning in Action
Now I have a registered MacProtector to clean the "detected" file =)
Figure 6: Registered Copy of MacProtector
Reference
You can visit http://blog.unmaskparasites.com/2011/05/05/thousands-of-hacked-sites-seriously-poison-google-image-search-results/ for the excellent research on google image SEO poisoning technical information.
Have fun!
Signing off @x9090
You can visit http://blog.unmaskparasites.com/2011/05/05/thousands-of-hacked-sites-seriously-poison-google-image-search-results/ for the excellent research on google image SEO poisoning technical information.
Have fun!
1 comment:
Hello, thanks for posting this information, I was trying to find information on this topic –this was very helpful.
Post a Comment