Sunbelt Software reported on March 7 that the Windows Live search engine in Italy had been taken over by malware writers, with some 95 percent of search results on “hot” keywords leading to “extremely nasty malware and exploit sites [including] rustock.b or Gromozon.”
Symantec also found that a subset of the malevolent domains returned by Windows Live were redirecting Italian computers to malicious sites containing exploits and malware. As of March 8, Symantec reported that the only machines being affected were those with Italian IP addresses, due to server-side checks to verify users’ origins implemented by the gang.
Symantec described the crooks’ modus operandi like this: First, Symantec says, the malware gang came up with a lengthy list of hot search words. Here’s a sample of hot keywords that Symantec provided, along with rough translations:
“ricetta baci perugina (popular Italian chocolates)contratto collettivo colf (type of work contact)finanziamento online (online mortgage)cerco lavoro nave crociera (search job ship cruise)fastweb wind tele2 (some popular Italian mobile providers)traduzione testo canzone (translation lyric song)ministero sanita iscrizione (health subscription)modella calendario (model calendar)giubbotto pelle (jacket leather)incontro annuncio personale (personal announcement)“
The gang then registered a host of domain names with various space providers using other Italian words, Symantec says, that were permutations of the hot keywords. Symantec says that the URL format used by the gang follow this format: http://[number].[random_italian_word].com/[keywords_permutation].
Here’s an example from Symantec’s list, using the word “giubbotto” (jacket):
Searching on Windows Live Italy provided people with “weird links” such as these, Symantec said. The links are likely to be related to Gromozon, a type of spyware that hides inside system-critical processes and starts up even in safe mode. Wikipedia has a fuller description of Gromozon here.
The goal, Symantec says, is to create “a sophisticated and intricate spider web of self-referenced Web pages that will get the highest rank from Internet search engines.” Symantec says this of the algorithms behind the strategy:
“…search engine algorithms analyze how pages are linked using graph theories. The more a page is referenced by external links, the more popular this page becomes. The web spider structure (the structure of pages like the ones created by the Gromozon gang) is used to trick the search engines into displaying the specific results the attackers want.“
Microsoft hadn’t returned an inquiry as to the status of the Live takeover by the time this was posted.