Compromised websites have been an attractive target for cyber-criminals. These websites distribute different malwares designed to steal valuable information from the victim’s machine

Compromised websites has scripts, iframe to redirect or download other malwares.

fakeav1.jpg      fakeav2.jpg

The link to the compromised website may arrive via email as part of a spam campaign to lure the user into clicking the malicious link. After accessing the compromised website, it shows a fake message box about critical process activity on the computer.

fakeav3.jpg

On clicking the OK button, it opens a .PNG file hosted in the compromised site. This .PNG file shows a fake alert image pretends to be from a security product that scares the user into thinking the computer is infected by critical malware and suggests that the user clean the computer.

fakav4.jpg

The compromised website has another iFrame that allows downloading a malicious file when the user attempts to click on the .PNG file.

fakeav5.jpg

Upon executing the malicious file, it shows variety of fake security alerts and warnings. Also, this rouge variant uses a different GUI, depending on the version of the operating system it infects.

fakeav6.jpg

As on windows 7:

fakeav7.jpg

Windows vista;

fakeav8.jpg

Finally, it attempts to convince the user to purchase the full version of fake product.

McAfee strongly recommends that users exercise caution when opening unsolicited emails. Ensure your anti-malware protection is up to date. Use a reputable firewall. Beware of drive-by downloads when visiting any new websites. McAfee detects this malware as “FakeAlert-FFO” and the .jar file as “Exploit-CVE2012-1723”.