Our researcher Patrick Jordan ran one of the installers from seriall.com, which is an old fake serial crack site where one can get infected waaaaay too easily. It created a run32.dll which functions as a redirector. When a victim of this searches for the string “remove spyware,” his infected computer re-directs to the web page of security firm Webroot. Clicking on the “Business” tab will take the browser to a redirect site.
On the left is the Webroot page redirect from an infected box and the right is the same action from a clean box.
The sites that it redirects to are typical info-stealing sites with a cheap pay-per-click search pages.
Sunbelt already detects the installer and dll as Trojan.Win32.Generic!BT
Just to clarify: this is not a Webroot issue, the Trojan simply redirects a victim’s browser to the Webroot page to give an appearance of authenticity before redirecting it on to a malicious site.
Thanks Patrick
Tom Kelchner