[Emerging-Sigs] "ET TROJAN FakeAV Landing Page"

Marcos Orallo morallo at tb-security.com
Tue Dec 18 04:58:19 HAST 2012

Hi all,

I have regular detections from this rule, together with this other one:
"ET CURRENT_EVENTS Ponmocup Redirection from infected Website to

>From what I understand, I suppose this is just a landing page to show a
false antivirus scan and persuade the user to download and install a
fake AV.
However, the rule is labeled as "TROJAN" in trojan.rules file, and
classified as "trojan-activity". I had the impression this type of rule
triggered only when there has already been an infection.

Maybe it should be moved to CURRENT_EVENTS?


More information about the Emerging-sigs mailing list