McAfee FP news misused for more SEO poisoning

We're now seeing a fiercely concentrated Blackhat SEO campaigns exploiting the McAfee False Positive (FP) problem.

Juraj Malcho, our Head of Lab in Bratislava, reports that in a Google search like the one I've screendumped above, he got three malicious hits in the top ten (the same ones captured here: of course, the malicious domain names have been whited out) and 11 in the top 20. Subsequent searches using different search strings are finding even more hits, so right now, Google is well and truly poisoned.

Characteristically, hits at the moment come up with the titles  "Mcafee Dat 5958" or "Mcafee 5958", but this has changed since earlier on, and will no doubt change again.

The malicious URLs seem to take the form

[domain name]/[random 5 letter string].php?on=mcafee%20dat%205958

or

[domain name]/[random 5 letter string].php?on=mcafee%205958 

Of course, this is likely to change too. They redirect to a site which tries to download fake AV detected as one of the following:

• Win32/Adware.VirusAlarmPro
• a variant of Win32/Kryptik.DWC trojan
• Win32/TrojanDownloader.FakeAlert.ALW trojan

Thanks to Juraj and to Cristian Borghello for their continuing research and information.

David Harley CISSP FBCS CITP
Research Fellow & Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter:
http://twitter.com/esetresearch; http://twitter.com/ESETblog
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Also blogging at:
http://amtso.wordpress.com/
http://avien.net/blog
http://blogs.securiteam.com
http://blog.isc2.org/
http://macvirus.com/
http://chainmailcheck.wordpress.com
http://smallbluegreenblog.wordpress.com/