Rogue AV Campaign Infects More Than 200,000 Web Pages

Websense has detected a massive infection campaign targeting users with rogue antivirus
Researchers at Websense have detected a widespread rogue antivirus campaign targeting more than 200,000 Web pages and close to 30,000 unique Web hosts.

The attack has infected a massive number of websites with various versions of WordPress installed. When a victim visits one of the infected sites, he or she is redirected to a site hosting rogue antivirus. If the person downloads the program, then the Trojan will be installed onto their computer.

“It is difficult to estimate the number of users affected,” explains Elad Sharf, lead senior security researcher at Websense Security Labs. “What is interesting to note is that more than 85% of the compromised sites are in the United States, while visitors to these websites are more geographically dispersed. The attack may be specific to the U.S., but everyone is at risk when visiting these compromised pages.”

According to Websense, the rogue AV site appears to run a scan on the computer and displays fake malware detections in a bid to trick the user into downloading the program. The page looks like a Windows Explorer window and has a "Windows Security Alert" dialogue box in it.

“Usually in this type of mass injections, vulnerabilities or security holes in certain versions and their accompanied infrastructure are abused to get initial access to those websites,” Sharf says. “Therefore after this access is maintained to the compromised website, the injected code keeps getting updated periodically, i.e., in every new cycle of the mass injection.”

Websense does not know who is behind the campaign, but noted that because WordPress is so widely used around the world, every version of it is studied and exploited by hackers, the researcher say.

The Trojan/rogue AV detection name varies as the cybercriminals keep updating and installing binaries to avoid detection. It appears most researchers use a generic name for the detection of the threat, but some might issue more direct names (typical names would be Fakealert, Virtool or Riskware), Websense tells

“Essentially what this means for the everyday blogger is that their website is being hijacked,” Sharf says. “The user looking to view the bloggers website is redirected to a rogue antivirus site, which appears to perform a scan on the computer and scares the user by displaying fake malware detections of various kinds of Trojans. The fake AV then prompts visitors to download and run their ‘antivirus tool’ to remove the supposedly found Trojans. The executable is itself the Trojan. The blogger will still see traffic to the site, but the user never gets there as they will be redirected immediately to the rogue AV site meaning their content is never viewed.” Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Editors' Choice
Jai Vijayan, Contributing Writer, Dark Reading
Kelly Jackson Higgins 2, Editor-in-Chief, Dark Reading