Google searches for a number of security products and vendors — including F-Secure, Norton, McAfee and Trend Micro — have yielded advertisements with links to rogue products, Patrik Runald, chief security adviser at F-Secure told SCMagazineUS.com Friday.
Links to the rogue sites are located not in search results, but advertisements that appear to the right of search results on Google. Runald said he discovered this on Thursday when he was doing a Google search for his company, F-Secure.
“I was just doing a search for F-Secure and saw a suspicious ad on the right hand side, and found it lead to a fake security product,” Runald said.
On Thursday Runald alerted Google and they took down the malicious ad promptly, he said. But afterwards, he started searching for other security firms and products and as of Friday afternoon, had found malicious ads appearing on searches for Norton, McAfee, and Trend Micro as well.
Runald said many of the ads are extremely similar regardless of what security companies a user searches for. The ads say “free AV,” “free anti-spyware,” or “clean up your PC.”
“I have only spent two hours checking and have been able to find five to 10 tools that are all fake,” Runald said.
If a user downloads the products — which have been called “Error Repair Tool” and “RegFix Pro” — it will say a user’s PC has a number of “errors” or “problems,” and will then ask the user to fork over $39.95 for the product.
Craig Schmugar, threat researcher at McAfee, said that there is more research to be done on this threat, but based on what he has seen these are not fake anti-virus products. The difference is that fake AV products pretend to scan a user’s system and find fake viruses and cause a number of problems, whereas this rogue software is based on some limited, if misleading, truth.
When this program scans a users system it will find a number of “problems” that are not really severe. For example, when a user deletes a program, but does not delete the icon for the program on their desktop, the program will find the icon as one of the “problems” that needs to be cleaned. In reality, the icon leads nowhere, but it’s likely not causing any problems by being there, Schmugar said.
“The problems that they are finding are not critical errors and aren’t causing any problems with the operating system running properly,” Schmugar said.
He added that the program is very aggressive in the way that it reports the errors it’s finding.
Schmugar said software is kind of in a gray area — he wouldn’t call it malicious, but rather, “buggy.”
A Google spokesman told SCMagazineUS.com Friday in an email that though these sites are not necessarily serving malware, they are in violation of Google’s policy.
“We actively work to detect and remove sites that serve malware in our ad network, and we immediately suspend accounts found to contain ads that point to sites that install malware,” the spokesman said. “That said, I’m not sure that this is strictly malware because my understanding of the site is that it gives users who download the program false positives to get them to send their money. Per our AdWords Content Policy, advertising is not permitted for sites that make false claims.”