Select Page

You probably saw that whole “Obama birth certificate” thing yesterday.

You’re also aware this means hunting around for pictures of his birth certificate is going to result in Rogue AV files popping up.

The first page of Google Image Search:

Click to Enlarge

That one in the middle was (until a little while ago) using a java exploit to install the Security Shield rogue.

Click to Enlarge

Click to Enlarge

You may want to avoid both tdssdt45(dot)cz(dot)cc and lopasana32(dot)cz(dot)cc. VirusTotal currently gives us 10/42, and we detect it as FraudTool.Win32.MSRemovalTool.ek!a (v).

Elsewhere, we have more rogue action – our old friend bestrxfinder(dot)com served up another search engine site, topdaofinder(dot)com, which directed the end-user to freemobilescannerprotection(dot)com after clicking on a search result. You wanted a birth certificate, you ended up with XP Anti-Spyware 2011.

Click to Enlarge

Whoops. We catch that one as FraudTool.Win32.FakeRean.d(v). Big news stories will always result in a wave of Rogue AV in both regular search and image links, so be careful where you click (as much as you possibly can, at any rate).

Thanks to Matthew, Adam and Patrick.

Christopher Boyd