Often you’ll get these browser based fake av popups as a result of SEO and/or DNS poisoning , not so much from any ‘errant’ click.
Erik Goldoff IT Consultant Systems, Networks, & Security ' Security is an ongoing process, not a one time event ! ' From: Jeff Bunting [mailto:bunting.j...@gmail.com] Sent: Friday, May 20, 2011 9:18 AM To: NT System Admin Issues Subject: Re: Fake AV site more so to crop the password toolbar and other tabs I had open (no, there was nothin' naughty, I promise!). The domain name is visible on the file download warning; page was index.php with a long string of characters as a parameter to it. I didn't go back to see if the parameter was necessary to launch that particular page; maybe this weekend in a VM if I'm bored. I have the URL and page source (obfuscated javascript) saved. On a related note, does anyone know how to search within the Temporary Internet Files on Win7? I'm curious as to where this site came from; I think it may have been an errant click on an advertisement. I was going to try a findstr on the directory, but its all hidden and virtualized now; what you see in explorer is not what you see on the command line. Of course, I may not find a thing if it was a redirect from an ad site, but thought it worth knowing how to do anyway. On Fri, May 20, 2011 at 8:00 AM, Erik Goldoff <egold...@gmail.com> wrote: Jeff, did you intentionally crop the top of the screen capture to eliminate the URL ? Erik Goldoff IT Consultant Systems, Networks, & Security ' Security is an ongoing process, not a one time event ! ' From: Matthew B Ames [mailto:matthew.a...@qinetiq.com] Sent: Friday, May 20, 2011 4:02 AM To: NT System Admin Issues Subject: RE: Fake AV site I saw that site about a week ago when I was at home. I think I was using Chrome at the time however. Likewise I just closed my browser tab (and performed a full scan with ESET). From: Jeff Bunting [mailto:bunting.j...@gmail.com] Sent: 20 May 2011 01:29 To: NT System Admin Issues Subject: Fake AV site Ran across a fake AV site this evening, with a faux-windows explorer web page. Anyone have favorite places to report this sort of thing? I sent the URL to Google's malware reporting, didn't know if there were other well-regarded places to submit these Here's a .png screenshot of the web page I took if anyone's interested (SkyDrive). The green progress bar was animated and completed its "scan" before the "windows security alert" popped up. The page was easily closed by killing the IE tab (the domain name appears in the image) http://public.blu.livefilestore.com/y1pHzOqf6GUpj4i-Jmq3CZd6VhkMg0yNK33pu-4P cTBzLjmkydC3bY_BUfYoKsbnH-a7DaUXp9fq8CyGwHEQAepWw/FakeAV.png?psid=1 Jeff ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. QinetiQ may monitor email traffic data and also the content of email for the purposes of security. QinetiQ Limited (Registered in England & Wales: Company Number: 3796233) Registered office: Cody Technology Park, Ively Road, Farnborough, Hampshire, GU14 0LX http://www.qinetiq.com. <http://www.qinetiq.com> http://www.qinetiq.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin