14 DAY TRIAL // A false positive (FP) malware detection incident, which affected McAfee customers yesterday, is being exploited by cybercrooks to spread scareware. A black hat search engine optimization (BHSEO) campaign that poisoned search results related to the unfortunate event has been observed.
On April 21, 2010, a malware definitions update containing a buggy detection routine was pushed by leading security vendor McAfee to its customers. As a result, a critical file called svchost.exe was erroneously detected and blocked on systems running Windows XP with Service Pack 3.
The incident forced millions of computers into an endless reboot loop, and sent a huge number of users onto the Internet in search for answers. In fact, the search traffic related to the incident was so big that at the time of writing this article, "mcafee update" is situated at number five in Google Trends' list of hot search topics for USA.
Unfortunately, as demonstrated numerous times in the past, cybercriminals are closely watching these statistics too and don't miss any opportunity to exploit popular events. Apparently, the latest incident is no different in this respect, and Graham Cluley, senior technology consultant at Sophos, warns that "By using blackhat SEO techniques, cybercriminals have managed to get poisoned webpages high in the search rankings if you hunt for information on the McAfee false positive."
His findings are backed up by fellow security researchers from ESET, the creators of NOD32 Antivirus. "Our labs in Bratislava and Latin America have advised us that they've seen SEO poisoning relating to the issue, and pointing to malicious sites that attempt to install fake antivirus (for which we have detection)," David Harley, director of malware intelligence with the company, advises.
Though somewhat ironic, this is not the first case of scareware pushers exploiting the problems of a security company to their own advantage. Back in March 2009, a similar BHSEO campaign poisoned search results related to an unsigned PIFTS.EXE file released by Symantec, which created mass confusion amongst its customers.
Obviously, users are advised to exercise caution when deciding to visit links in search results, especially if those URLs point to domains previously unknown to them. If suddenly bombarded with security warnings from a website, users should immediately kill the entire browser process and perform a local malware scan with a capable, up-to-date antivirus program.