Malware Poisoning Results for Innocent Searches

The seeding of malware into pages returned from searches for innocent terms has reached epic proportions, security researchers say.

Malicious iFrames, rootkits and fake codecs are being served up on tens of thousands of sites returned as results for searches for such things as alternate router firmware or “how to for Microsoft Excel.”

For example, recently a Sunbelt Software researcher, Adam Thomas, searching for “Netgear ProSafe DD-WRT,” found on the first page of Google returns a page that redirected to a site pushing a fake codec.

Codecs, often used in videoconferencing or streaming media, encode a stream or signal for transmission, storage or encryption and decode it for viewing or editing. Malware often poses as a codec, luring victims into installing programs with the false promise of providing access to streaming media.

Sunbelt Software President Alex Eckelberry told eWEEK there are now “buckets” of domains involved. He sent eWEEK a list of 27 such domains, each of which contain 1,498 pages.

Click here to read about an attack on Monster.com that was reportedly linked to the Russian Business Network.

The list of malware variants being served up from just one installation from a seeded site is staggering: A portion of the list includes such nastiness as Trojan.Crypt.XPACK.Gen, Trojan-Downloader.Small.AAGX, Trojan-Downloader.Win32.Agent.ev, Trojan-Downloader.Win32.Agent.bnm, Trojan-Downloader.Win32.Agent.eus, Trojan-Downloader.Gen and Trojan-Downloader.Win32.Obfuscated.n.

And although Thomas refers to Google search returns in his Nov. 27 blog post on the subject, the results from multiple major engines are the same, including returns from Yahoo and Microsoft Live.

Thomas said in his post that Sunbelt has found the seeded sites to have been “meticulously created” in order to reach a high search engine ranking. “Just about any search term you can think of can be found in these pages,” he said. For example, hundreds of search terms including the word “hospice” have been seeded with malware.

For months now, Sunbelts Research Team has been monitoring a bot network whose only purpose is to post spam links and relevant keywords to online forms—typically comment forms and bulletin board forums, Thomas said in his posting. That network, combined with thousands of the seeded pages, has given the attackers an excellent, if not top, search engine position for various search terms. In fact, for the search terms in question, the first page of returns contains multiple pages seeded with malware.

The malware-serving pages also contain an iFrame link that attempts to infect vulnerable systems with a family of malware that Sunbelt calls Scam.Iwin. That particular scam uses an exploited system to generate false clicks for a pay-per-click affiliate program behind the PC users back. Scam.Iwin also loads malware for other groups, Thomas said—in particular, one malware group known to be connected with the infamous RBN (Russian Business Network).

Sunbelt has notified Google and has invited other search engine companies to contact the firm for further information.

Exploit Prevention Labs Roger Thompson blogged about the same issue on Nov. 21, citing a list of search terms that return rootkits for such innocent strings as “currency converter,” “americanexpress/activate,” and “knitted or crocheted dachshund patterns.”

In a Nov. 26 blog post, Sunbelts Eckelberry outlined some of the search result seedings going on recently, calling the amounts of redirects found in recent days “massive.”

Sunbelt has posted a list of seeded search terms here (PDF). EPLs Thompson posted another list on Nov. 26.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.