The Royal Wedding and The Fake Antivirus

The Royal Wedding of Prince William and Catherine Middleton that will be held tomorrow, on April 29, will attract the attention of many people around the world, and has become a trending topic on various websites, especially the social networking sites.

No doubt, it also became an easy target for the malware authors to spread their malware using SEO poisoning techniques. This Black Hat SEO technique has been used by malware writers from time to time, using hot topics to improve their site ranking on the search engine results.

As you can see on Google Trends and Google Insights, the search volume increases massively, and it also happens on Facebook and Twitter.

When you do a search related to this, some of the results point to malicious websites.

When a victim clicks such a link, he is redirected to a malicious site that forces a download of a fake antivirus:

  • http://rnzrrljt.co.cc/[censored]
  • http://xnslrqlr.co.cc/[censored]

These point to the IP: 78.26.179.10.

The malicious site shows fake scanning dialogs and also displays fake alert messages.

Once the downloaded file is executed, the rogue application starts its actions.

The used name of this rogue application can be different. In our tests, the name of this fake antivirus is “Win 7 Anti-Spyware” on Windows 7, but on XP it shows up as “XP Home Security 2011”.

Emsisoft Anti-Malware detects this malware as Trojan.Win32.FakeAV. Currently, based on Virus Total, the detection rates are still low, only 10 of 41 detect it.