NOW READ THIS
("Security Advisory")

Go Back

Submitted by: Bill Hickey
NCVA List Master

NRT-0345 Innocuous Searches Turning up Malware Pages:


Malware-infected pages, designed to reach a high search engine ranking, are increasingly showing up in the first page of returns from Google, Yahoo, and Live, according to an online IT journal. Malicious iFrames, rootkits, and fake codecs are being served up on tens of thousands of sites returned as results for searches for such things as "alternate router firmware" or "how to for Microsoft Excel." "Just about any search term you can think of can be found in these pages," said Sunbelt Software researcher Adam Thomas.

The list of malware vairants being served up from just one installation from a seeded site includes malicious programs such as Trojan.Crypt.XPACK.Gen, Trojan-Downloader.Small.AAGX, Trojan-Downloader.Win32.AGent.ev, Trojan-Downloader.Win32.Agent.bnm, Trojan-Downloader.Win32.Agent.eus, Trojan-Downloader.Gen and Trojan-Downloader.Win32.Obfuscated.n.

The malware-serving pages also contain an iFrame link that attempts to infect vulnerable systems with a family of malware that Sunbelt calls Scam.lwin. That particular scam uses an exploited system to generate false clicks for a pay-per-click affiliate program behind the PC user's back. Scam.lwin also loads malware for other groups, Thomas said - in particular, one malware group that was known to be connected with the infamous Russian Business Network (RBN).

The seeding of malware into pages returned from searches for innocent terms has reached epic proportions, security researchers say. Malicious iFrames, rootkits, and fake codecs are being served up on tens of thousands of sites returned as results for searches for such things as alternate router firmware or "how to for Microsoft Excel." For example, recently a Sunbelt Software researcher searching for "Netgear PRoSafe DD-WRT," found on the first page of Google returns a page that redirected to sa site pushing a fake codec. Codecs, often used in videoconferencing or streaming media, encode a stream or signal for transmission, storage or encryption and decode it for viewing or editing. Malware often poses as a codec, luring victims into installing programs with the false promise of providing access to streaming media. Sunbelt Software President said there are now "buckets" of domains involved. He sent eWEEK a list of 27 such domains, each of which contains 1,498 pages. For months now, Sunbelt's Research Team has been monitoring a bot network whose only purpose is to post spam links and relevant keywords to online forms - typically comment forms and bulletin board forums. That network, combined with thousands of the seeded pages, has given the attackers an excellent, if not top, search engine position for various search terms. In fact, for the search terms in question, the first page of returns contains multiple pages seeded with malware. Sunbelt has notified Google and has invited other search engine companies to contact the firm for further information.

(eWEEK 27NOV07)


Valid XHTML 1.0! Valid CSS! Counter Image
Last Modified: Wednesday, 23-Jan-2008 18:41:49 EST