Most of us are familiar with how high profile news events are used for malware distribution. We’ve seen it many times such as with Tiger Woods’ scandal and the earthquake in Haiti. Now the recent earthquake in Chile is used to prey upon unsuspecting folks interested in what’s going on with the post-quake and tsunami. This shows we should really be careful in our choices of where we go to get information. Try any related search term or phrase related to “Chile Earthquake”, “Tsunami”, etc. I’ve done so and will walk us through a few examples of risky to malicious content that my search turned up. This type of malware distribution tends to target the broadest audience possible, so I entered the search term “Chile” and then let Google auto-complete my search to “Chile quake 2010 tsunami” to load what is a popular search phrase. Almost immediately, among some recognizable news site results are random blog posts touting words like “download” or “.exe”. We should be suspicious of these.
The first few I tested were not surprising; standard looking blog posts with YouTube videos. But when I clicked on the YouTube videos, it appears YouTube had already found them to be violating YouTube terms. This was likely malicious content that had fortunately been discovered already. Here are a couple of examples, one with the video still embedded in the blog page, and the other directly from YouTube.
I found about 3 of these right off the bat. But then something more disturbing, and much more dangerous. Google’s Safebrowse warned the next site was already identified as malicious.
I didn’t continue further down that path, but continued to look at more of the search results. I next clicked to open what appeared to be a safe domain with terms about a princess apple, but what would a site such as this have to do with Chilean earthquakes? I was suspicious, and immediately knew why. Suddenly a pop-up message that we should all be familiar with or become aware opened without my action or approval. This is commonly referred to as Rogue AV, which is a malware disguised to look like an anti-malware security scan. These are very dangerous. Typically your best bet to get out of these is to go to your Windows Ctrl + Alt + Delete to call up the task manager and to kill your browser process. Otherwise the rogue AV will attempt to download the malicious payload. Don’t worry about clicking Cancel or trying to close your browser with the red X. Here’s a snapshot. Notice it attempts to look like a legitimate Windows Security alert, and reports your machine is infected with various Trojans and malware.
I clicked on one more blog, again looking like a fairly legit blog post with what I assumed may be a YouTube video, possibly pulled by YouTube like the previous examples, but what I found instead was my anti-virus software detected a hidden IFRAME to (modified for safety):
http://www.xxxxxx.xxxx/navbar.g?targetBlogID=78306394491143XXXXX& amp;blogName=Auto+Loan+Insurance&publishMode= PUBLISH_MODE_BLOGSPOT&navbarType=BLUE&layoutType= LAYOUTS&searchRoot=http%3A%2F%2Fxxxxxxx. blogspot.com%2Fsearch&blogLocale= en&homepageUrl=http%3A%2F%2Fxxxxxxxxx.blogspot.com%2F.