Blackhat SEO Attacks targeting (again) World Cup 2010
Block unknown processes with NoVirusThanks EXE Radar Pro
World Cup 2010 is yet a very popular keyword searched in search engines and we have recently noticed again various blackhat seo attacks that hijacked keywords related to World Cup 2010, players and matches.
The situation is always the same, an user search a keyword, hijacked urls are visible even in first pages and after user has clicked in a malicious url, he is redirected to a fake YouTube video page that spreads setup files of rogue security software. During analysis we logged few new dangerous domains used in these recent blackhat seo campaigns:
www4.protect-soft92.co.cc / 74.118.193.81
www4.protect-soft91.co.cc / 74.118.193.81
www4.protect-soft90.co.cc / 74.118.193.81
www4.protect-soft89.co.cc / 74.118.193.81
www4.protect-soft88.co.cc / 209.212.149.19
www4.protect-soft86.co.cc / 209.212.149.19
www2.soft-analysis84.co.cc / 74.3.166.116
www4.protect-soft82.co.cc / 209.212.149.19
www2.soft-analysis82.co.cc / 74.3.166.116
www2.soft-analysis81.co.cc / 74.3.166.116
www2.soft-analysis79.co.cc / 74.3.166.116
www2.soft-analysis72.co.cc / 94.228.220.112
These malicious websites are used to display the fake scanner page to scary the user with repeated security alerts and to simulate a scan report full of threats that looks like the “My Computer” folder:
The rogue security software that was installed during our tests is named Security Tool and after it is installed it blocks the execution of every application, except if the application we want to execute has the file name iexplore.exe. So basically it allows user to open only Internet Explorer (iexplore.exe) and all other applications are blocked. A simple workaround fix is to rename your analysis tools as iexplore.exe and it will run just fine!
Fake security alert that blocks the execution of a legit setup file:
Main GUI of the rogue security software Security Tool:
Another fake security alert:
