Skip to content

Compromised Site Serves as a FAKEAV Doorway Page

by Trend Micro Employee on ‎11-21-2010 05:35 PM

The Threat Defined


Much has already been said about FAKEAV yet it continues to raise concerns in the security industry. While it has been relatively quiet in recent months, it has yet to take the backseat in the cybercrime scene. FAKEAV is like a consistent background noise in the threat landscape that never really goes away.


TrendLabsSM has been monitoring FAKEAV since its first-generation variants were discovered. Included in the list of the more significant changes it has undergone is the use of ransomware tactics, the ability to modify Layered Service Provider (LSP) chains, the increased use of blackhat search engine optimization (SEO), and the use of doorway pages.


Compromised Site Used in FAKEAV Scam


A recent FAKEAV attack combined the use of two of the malware’s more recent techniques—blackhat SEO and doorway pages. People from the music industry conducting searches using keywords like “homestead gardens” and “best buy black friday 2010 ads” inadvertently landed on the compromised site of an Amsterdam-based record label, which was used as a doorway page. The compromised page was injected with an SEO kit for hot topics. It also had spamdexed content that was specifically prepared for the upcoming Black Friday holiday event in the United States. Spamdexed pages contain repeating unrelated phrases to manipulate the relevance or prominence of resources indexed by a search engine in a manner inconsistent with the purpose of the indexing system. In blackhat SEO attacks, these are either filled with spam-like content either related or linked to compromised pages in order to increase their ranking.


Figure 1. TROJ_FAKEAV.SMVK infection diagram


Clicking the poisoned links that appeared as search results took users through a series of page redirections before they end up on a malicious page from which TROJ_FAKEAV.SMVK is automatically downloaded onto their systems. This FAKEAV variant connects to various URLs to download another malware detected as TROJ_FAKEAV.GXX. This second FAKEAV variant creates several registry entries and adds strings to the Windows HOSTS file as part of its infection routine.

Java Exploits and FAKEAV


Another notable development in the FAKEAV front is the increased use of Java exploits for doorway pages. Two vulnerabilities have been particularly exploited—CVE-2008-5353 and CVE-2009-3867 —and since Java is a widely used platform, this type of attack increases the risks for the application’s users.


On its own, vulnerability exploits can put user systems at risk because many of these allow malicious users to gain access to infected systems. When used in tandem with FAKEAV, however, exploit packs become all the more threatening.

More FAKEAV Updates


10202010-pill.jpgTo further enhance the already-effective FAKEAV technology, cybercriminals are now making use of browser-specific payloads that closely mimic various browsers’ interfaces. Some variants even have the ability to detect what browser version is currently running on a system. Even FAKEAV alerts are becoming more sophisticated. Online FAKEAV variants are now very heavily obfuscating their code with the help of Advanced Encryption Standard (AES). Meanwhile, local or offline FAKEAV variants now use audio alerts as part of their behavior. Though the main interface has not really changed, a new “pill” icon has been seen in use.


User Risks and Exposure


One increasingly important reminder so users can avoid becoming victims of FAKEAV attacks is to be cautious in conducting online searches. As seen in the past, FAKEAV proliferators have learned to use search engine features to their full advantage, allowing malicious links to rank high on search engine results pages. Users should remember to carefully check URLs, watching out for telltale signs such as the typical doorway page URL format (i.e., <protocol>://<domain>/<folder>/<file>?<parameter>, any or some of which is made up of random characters).


Google’s recently released instant-preview feature can also prove helpful in allowing users to literally get a glimpse of a site’s contents before they actually click its link. Of course, it would not be entirely surprising if cybercriminals eventually find a way to circumvent this so awareness is still key. Arming users with sufficient knowledge of how FAKEAV works and what new techniques cybercriminals are using to spread it will more likely allow them to protect themselves from possible attacks.


Trend Micro Solutions and Recommendations


Trend Micro™ Smart Protection Network™ delivers security that is smarter than conventional approaches. Leveraged across Trend Micro solutions and services, Smart Protection Network combines unique in-the-cloud reputation technologies with patent-pending threat correlation technology to immediately and automatically protect your information wherever you connect.


In this particular attack, Smart Protection Network’s Web reputation technology blocks access to the sites that TROJ_FAKEAV.SMVK connects to. File reputation technology, on the other hand, immediately prevents the execution of and deletes files detected as TROJ_FAKEAV.SMVK and TROJ_FAKEAV.GXX from user systems.


The following post at the TrendLabs Malware Blog discusses this threat:


The virus reports are found here:


Other related posts are found here: