In recent days, our Honeypot has collected some new variants of FakeAV, the malware impersonating antivirus programs. After monitoring and analyzing these variants, we have discovered a brand new scenario employed by hackers to spread this kind of malware.
Hackers have taken advantage of many forums as well as Q&A sites, most of which are the sites of Yahoo! Answers system (answers.yahoo.com), to spread malicious code:
Figure 1: One of the fraudulent answers in Yahoo! Answers
The fraudulent answers are often in the following forms:
“Anyway, I think this will help you http://answers-yahoo-z.tk”
“You might find the answer here http://answers-yahoo-z.tk”
“Try this http://answers-yahoo-z.tk”
Such answers entice users to visit fraudulent websites posing as Yahoo! Answers.
Figure 2: The interface of fake website (the above image) and the real Yahoo! Answers (the below image)
You are asked to download a file which is said to contain the answer (in fact, it is a FakeAV downloader):
Figure 3: FakeAV - Security Shield
In addition to Yahoo! Answer, hackers also take advantage of many other Q&A sites for their malware spreading campaign.
Figure 4: Many questions are taken advantage to spread malware
In such case, you should take caution with the answer pointing to another link so as not to be deceived by bad guys.
Trieu Minh Tuan