Sunbelt Software reported on March 7 that the Windows Live search engine in Italy had been taken over by malware writers, with some 95 percent of search results on “hot” keywords leading to “extremely nasty malware and exploit sites [including] rustock.b or Gromozon.”
The next day, Symantec reported that it had found encrypted Javascript redirecting visitors. Symantec found that some of the domains returned by Windows Live were opening popup boxes and pages with false Windows error messages—what Symantec called a typical social engineering scam to lure people into installing malware such as WinFixer or ErrorSafe. Symantec describes those programs as being security risks that give “exaggerated reports” of computer threats. They’re only installed if a victim clicks “yes” to begin installation.
Symantec also found that a subset of the malevolent domains returned by Windows Live were redirecting Italian computers to malicious sites containing exploits and malware. As of March 8, Symantec reported that the only machines being affected were those with Italian IP addresses, due to server-side checks to verify users’ origins implemented by the gang.
Symantec described the crooks’ modus operandi like this: First, Symantec says, the malware gang came up with a lengthy list of hot search words. Here’s a sample of hot keywords that Symantec provided, along with rough translations:
“ricetta baci perugina (popular Italian chocolates)contratto collettivo colf (type of work contact)finanziamento online (online mortgage)cerco lavoro nave crociera (search job ship cruise)fastweb wind tele2 (some popular Italian mobile providers)traduzione testo canzone (translation lyric song)ministero sanita iscrizione (health subscription)modella calendario (model calendar)giubbotto pelle (jacket leather)incontro annuncio personale (personal announcement)“
The gang then registered a host of domain names with various space providers using other Italian words, Symantec says, that were permutations of the hot keywords. Symantec says that the URL format used by the gang follow this format: http://[number].[random_italian_word].com/[keywords_permutation].
Here’s an example from Symantec’s list, using the word “giubbotto” (jacket):
hxxp://7.altruidismala.com/giubbottouomoinpelle hxxp://19.unavisita.com/giubbottouomopelle
Searching on Windows Live Italy provided people with “weird links” such as these, Symantec said. The links are likely to be related to Gromozon, a type of spyware that hides inside system-critical processes and starts up even in safe mode. Wikipedia has a fuller description of Gromozon here.
Besides loading up with hot keywords and thus ensuring that their sites would appear high on search results, the malware gang went a step further, putting on each site a page that includes links to legitimate sites related to a given keyword. Each of these pages also contains encrypted Javascript, Symantec said, which serves to redirect visitors.
The goal, Symantec says, is to create “a sophisticated and intricate spider web of self-referenced Web pages that will get the highest rank from Internet search engines.” Symantec says this of the algorithms behind the strategy:
“…search engine algorithms analyze how pages are linked using graph theories. The more a page is referenced by external links, the more popular this page becomes. The web spider structure (the structure of pages like the ones created by the Gromozon gang) is used to trick the search engines into displaying the specific results the attackers want.“
Microsoft hadn’t returned an inquiry as to the status of the Live takeover by the time this was posted.