More than a million false domains download malware using the name of a well-known car manufacturer as bait

PandaLabs, Panda Security’s malware detection and analysis laboratory, has detected a black hat SEO attack (Search Engine Optimization) using the name of the Ford car manufacturer as bait to distribute malware on the Internet. Specifically, PandaLabs has discovered 1.2 malicious results in searches related to the Ford Motor Co. which point to these malicious pages. The malware is distributed as follows: When users searching for information about Ford click one of the malicious results, they are taken to a Web page in which it seems as if they are about to see a video. If they try to watch the video, they will be prompted to download another program. This program, however, is really a fake antivirus.

PandaLabs has detected two fake antivirus programs that are distributed in this way: MSAntiSpyware2009 and Anti-Virus-1. These fake antiviruses are designed to make users believe that their computers have been infected by malware. They do this by simulating a scan of the system and supposedly detecting malware. Users are then offered the chance –through pop-ups and banners- to buy the pay version of the fake antivirus to clean their computers. If they don’t buy it, the malicious code will prevent the computer from operating properly in an attempt to coax users into buying the product. This type of malware has increased significantly over the last year.

According to data from PandaLabs, the number of variants of fake antiviruses has increased one hundredfold between the first quarter of 2008 and the corresponding period in 2009. In fact, in the first three months of 2009 no less than 111,086 new strains of fake antiviruses were detected, 20% more than in the whole of 2008. “These malicious codes are designed to generate profits for their creators buy tricking users into buying the pay-version of the product”, explains Luis Corrons, Technical Director of PandaLabs. One of the most notable features of this infection, according to the Panda Security laboratory, is that it is one of the few black hat SEO attacks to focus on a single brand. You can watch a video describing the infection process here.