The Websense has detected a new wave of mass-injections of a well-known rogue antivirus campaign, a new mass injection attack has infected over 200,000 Web pages, amounting to close to 30,000 unique Web hosts.
The attack uses SQL injection techniques to insert a rogue script element. Users who land on one of the compromised pages get redirected through several domains and finally land on a scareware site. These sites mimic antivirus scans and tell visitors their computers are infected with malware in an attempt to convince them to download fake security programs. The programs display even more false warnings and ask users to pay for a license in order to clean their machines.
The page looks like a Windows Explorer window with a "Windows Security Alert" dialogue box in it. The fake antivirus then prompts visitors to download and run their "antivirus tool" to remove the supposedly found Trojans. The executable is itself the Trojan.
More than 85% of the compromised website are located in the United States. This doesn’t mean that only US internauts are exposed to this threat, the sites being also visited by individuals from Turkey, Brazil, UK, India, China, South Africa, Jordan, Canada, Philippines and Taiwan.
Mass injection attacks are a common malware infection vector. The hackers exploit the trust users associate with the infected sites in order to push scareware or launch drive-by downloads. In other circumstances, the search engine rank of compromised sites can be exploited to poison search results for popular keywords with malicious links in what is known as black hat SEO attacks.