Friday, July 25, 2008

Other fake anti-virus products may overlay websites with foreign TLD's appearing in search results

I discovered another stealth problem this afternoon, where someone is trying to sell a “fake” anti-virus program. Trying to find the stock symbol for an electric utility, I got back a website so far unchecked by McAfee (a gray circle with a “?” in it) and clicked, and the system opened an application purporting to check for viruses, but giving me the option to Cancel. The TLD was “.hu” for Hungary. It was not xpantivirus but another one, but something similar. I closed everything, restarted and ran virus scan and found no problems (including the process and registry key scan). McCafee Security Center showed no changes to the registry keys on the log. Ctl-alt-del did not show any unfamiliar programs (tasks or processes) running.

The word to the wise is that, even with legitimate searches, don’t click on an unverified site in a search engine with a foreign TLD if it is not reasonable that a foreign domain would have had legitimate information about the search you entered. There seems to be some activity overseas to create sites that purport to offer services from legitimate American companies and then load spyware or offer fake services.

Update: Aug. 6

The following CNN/AP story relates a flaw deep in the Internet's DNS server infrastructure that could be related to this problem (of fake sites, above). Major companies, including Cisco, say they have quickly installed patches. Link.

No comments: