RealTime IT News

Erin Andrews Virus Infects Search, Blogs

A virus masquerading as a video of ESPN's telegenic reporter Erin Andrews is being spread through a variety of deceptive methods, leaving both Mac and Windows users vulnerable, according to security experts.

The video that the malware pretends to be does exist, but Andrews took legal action to have it removed from Web sites after news of its appearance got out. "While alone in the privacy of her hotel room, Erin Andrews was surreptitiously videotaped without her knowledge or consent. She was the victim of a crime and is taking action to protect herself and help ensure that others are not similarly violated in the future," said the law firm Bingham McCutchen in a statement.

Now, malware purveyors have built Web sites that purport to show the video, but install malware on a user's PC. Sophos has seen sites installing the OSX/Jahlav-C Trojan horse on Macintosh computers and several different viruses on Windows PCs, including Mal/EncPk-IF, a piece of malware, and Mal/FakeAV-AY, a rogue anti-virus system, said Graham Clueley, Sophos security expert, in a blog post.

The malware purveyors used all the latest technologies to get people to visit these infected sites.

"The bad guys set up legitimate-looking webpages and fire their links around via online ads, pop-ups, comment boards, Facebook, Twitter, etc, to lure us into their sophisticated traps, turning our systems into slaves. Whatever internet trend bubbles up, they jump on it, duping us into infecting our own computers," said Carole Theriault, Sophos senior security analyst, in a blog post.

One legitimate-looking site was a skilled knockoff of CNN.com.

Anyone who searches for the video now is likely to get infected.

"Virus writers have become quite adept at propagating their malware by gaming search engines to make their malicious content appear at the top of search results, " said Adam O'Donnell, Cloudmark director of emerging technologies, in an e-mail to InternetNews.com. "They do this by generating links to content that claims to be salacious materials that no legitimate party wants to link to."

According to Google Trends, at press time, "erin andrews peephole pictures" was the second most popular search on Google and "erin andrews video link" was the eighth most popular. Google had not responded to a request for comment by our press time but the gaming of its system by spammers is an ongoing problem.

Even blogs were affected through comment spam. One well-meaning Florida-based commentator, Miami New Times reporter Bob Norman, deplored media circus concerning the video in a sarcastic blog post that included a tasteful photo of Andrews. But some comments on the blog included links to infected sites, including a link to the fake CNN site.

How the criminals cash in

Sophos also reported that criminals were placing scareware on infected systems. Also known as rogue anti-spyware, this type of infection tries to dupe users to paying for fake anti-virus. The software does not cure the infection but the credit card does get charged. Then the victim's information is, presumably, sold in black markets for a few additional dollars. This was one way that Conficker cashed in.

In addition to rogue anti-virus, the criminals are engaging in click fraud, Sean-Paul Correll, Panda Security threat researcher and security evangelist, told InternetNews.com. The virus from the fake CNN site was accessing videos through paid traffic engines, he said.

"It was doing pay per click fraud," Correll said. "It starts doing Internet activity, accessing adware like yield manager.com and then accesses an ad link to a video on a site like break.com. It's making money on both ends -- from the ad network and from the video network that pays them to generate page views for the content."

"You hear sounds from the video going off in the background," he added. "They didn't even bother to block the sound."

"The interesting thing is that they're finding multiple ways of exploiting pay per click fraud," he concluded.

Correll added that some of the domains that now claim to serve Erin Andrews videos have been used for other malware campaigns in the past, targeting such keywords as "UFC 100" and "Rihanna." "The fake CNN site was pay per click fraud. Several Polish domains were spreading rogue AV," he said.