Lately, the Blackhole exploit kit has been getting a lot of attention, and no wonder – it is continually updated with exploits for various flaws in popular software, and can deliver practically any malware the attackers want it to.
Among those malware are also rogue AV solutions such as those belonging to the FakeScanti malware family.
One of the variants – named “AV Protection 2011” – has an interesting capability. It modifies the infected computer’s HOSTS file (the file that allows the system to connect hostnames to IP addresses) so that when the user tries to visit the Google Search engine, Facebook or Bing, he is redirected to a page hosted in Germany that serves up another variant of the same family:
The hijacking of the HOSTS file is not unusual behavior when it comes to worms and backdoors, but it not that often seen in rogue AV solutions, says GFI’s Jovi Umawing. It is also often used by phishers for seamlessly redirecting users to phishing pages when they try to visit legitimate ones.
“Users are advised to be wary of clicking links in emails. If you didn’t contact the party that sent such mails, it’s always best to not bother yourself with them and delete them from your inbox,” he advises. “Be careful with how you do searches online as well, since the criminals behind rogue AV are still banking on the old yet very effective SEO technique.”