Cyber-threats exploit McAfee glitch to spread scareware attacks

Hackers are exploiting a problem with McAfee’s enterprise anti-virus (AV) product that has reportedly caused hundreds of thousands of computers to become inoperable by repeatedly rebooting themselves, rival AV software vendor Sophos is warning.

Sophos says that McAfee issued a detection update on 21 April which mistakenly detected a harmless Windows file, svchost.exe, as "W32/Wecorl.a", and caused critical problems on affected PCs. McAfee is discussing the problem on its user community forum, but news of the problems is spreading via blogs and forum postings, as the company itself has yet to post a general alert or advisory on it own website as of 14:45hrs GMT 22 April (2010).

Sophos believes that hackers are compounding the problem by using ‘blackhat’ SEO (search engine optimisation) techniques to create webpages stuffed with content which appears to be related to McAfee's false alarm problem, but are really designed to infect visiting computers.

Sophos has identified malicious webpages which appear on the first page of Google results if users search for phrases associated with McAfee’s false positive, says Sophos senior technology consultant Graham Cluley: “It’s bad enough if many of the computers in your company are out of action because of a faulty security update - but it’s even worse if you infect your network by Googling for a fix," he comments.

“These poisoned pages are appearing on the very first page of search engine results, making it likely that many will click on them: if you visit the links you may see pop-up warnings telling you about security issues with your computer,” Clueley adds. “These warnings are fake and designed to trick you into downloading dangerous software, which could result in hackers gaining control of your corporate computers or the theft of your credit card details.”

More information:

Recent articles

Info Message

Our sites use cookies to support some functionality, and to collect anonymous user data.

Learn more about IET cookies and how to control them