Scareware infection via Google Doodle

Google’s search results are pointing to malicious sites sometimes – this is common knowledge nowadays. A new way to spread malicious links though is to present infected search results as first hit after clicking on a Google Doodle. For example on holidays or special anniversaries, Google replaces its own logo with a Doodle. This is usually an abstract picture that shows the Google lettering. On Wednesday this week, Google showed a Doodle to pay tribute to Martha Graham, a famous “Modern Art” dancer.

Google Doodle for Martha Graham's Anniversery

Clicking this Doodle offered search results for Martha Graham. Some images where displayed as top search result.

Google Search Result Images

Clicking one of the “infected” thumbnails opened the website which is hosting the malicious file. While the website is loading, the user gets redirected to a randomly generated URL. The websites are hosted on the .co.cc domain, which is quite often related with malicious content and activities. Right after the redirect, the Internet Explorer shows a popup. Actual scareware often uses this for tricking the user to click the “OK” Button. Confirming the popup with “OK” opens a new Internet Explorer window which looks quite similar to the “My Computer” section in the Windows Explorer. Showing some fake hard-drives, floppy-drives and a CD-drive is also standard FakeAV behavior.

FakeAV in-browser scan animation

During the scan process, some fake infections are displayed in the middle of the screen. Afterwards a new popup is displayed, offering a “Remove All” and “Cancel” button. But as usual both buttons do exactly the same. The popup tries to imitate the looks of Windows Defender.

FakeAV in-browser results pop-up

As expected, both buttons offer a new file for download. The afterwards downloaded file is another Fake AntiVirus program called “SecurityScanner.exe”. Running this application installs the “XP Home Security 2011” on the computer, which is currently spammed around. The tool itself is really unmerciful to real AntiVirus solutions. During the installation process, the tool disables notification popups from a local installed AntiVirus program, as well as from the Windows Firewall. Additionally, it also disables the Windows update service and replaces the Windows Security Center popup with a new one, proposing “XP Home Security 2011” as solution.

FakeAV in Windows Security Center

After finishing the installation, another local virus scan is started. As usual it shows some fake infections to make the user believe the PC is infected. (Ironically, it actually now is infected with scareware – so a little bit of truth is in there.)

FakeAV local scan

The scan result is displayed in a new popup. It offers a “Register” and “Remind me later” button. Clicking one of them directly leads to a payment site, which looks quite professional.

FakeAV local scan results

The payment site usually offers a quite spectacular deal like a “Lifetime License for only 79.95$”.

FakeAV payment site

The business strategy behind such a fake AntiVirus company looks nowadays really professional. You can purchase licenses and pay them by credit card. Some of them even offer a support hotline for their product, where the user gets hints on how to remove real Antivirus products.

Avira is already protecting customers since VDF Version 7.11.07.254 with which Avira anti-malware solutions detect the threat as TR/FakeAV.gra.

Patrick Schönherr
Virus Researcher
techblog.avira.com