60 replies to this topic

[AplusWebMaster]

FYI...

SEO Poisoning - MS Security Essentials ...
- http://securitylabs....lerts/3485.aspx
09.30.2009 - " Websense... has discovered that search engine results for information on how to download Microsoft's recently released Security Essentials tool are returning links to Web sites that serve rogue AV. Malware authors have used Search Engine Optimization (SEO) techniques to mix rogue search results in with legitimate results. For example, one of the rogue links is directly under a MSDN blog entry discussing Microsoft Security Essentials. The rogue redirects are hosted on compromised Web sites, including a Canadian publisher's Web site and the British Travel Health Association. When a user browses to the compromised Web sites, so long as they have been referred by a search engine, they are redirected to malicious Web sites with domain names such as computer-scanner21 and computervirusscanner31. An example of one of the payload files shows that AV detection is low. One such file is named Soft_71.exe (SHA1: 4e58a12a9f722be0712517a0475fda60a8e94fdc). If the user downloads the application, a file with extension .tif is downloaded in the "program files\TS" directory as TSC.exe and system.dat (the .tif file is decrypted/decompressed and split). The payload then executes "tsc.exe -dltest" apparently connects to a NASA Web site to check internet connectivity. Finally, "tsc.exe" is executed with no parameters, and the rogue AV starts. (In the background the original file is deleted). Since yesterday the Websense ThreatSeeker Network has been monitoring SEO poisoning of search terms related to Microsoft Security Essentials. It appears that the malware authors set up a trial run of SEO poisoning techniques, before converting the redirects to deliver rogue applications today..."

(Screenshots available at the Websense URL above.)

[AplusWebMaster]

FYI...

SEO Poisoning - Google Wave
- http://securitylabs....lerts/3486.aspx
09.30.2009 - " Websense... has detected that Google searches on terms related to Google Wave return results that lead to a rogue antivirus. Google Wave is the much talked-about, latest API hitting the collaboration scene today. There's a lot of hype about the launch of Google Wave, not only because of the 'new' things it offers but also because Google invited only 100,000 lucky users to test the service. With that said, it's no surprise that users are enticed to this new application. Unfortunately, it's also no surprise that the bad guys are using this hype to manipulate search results...
Malware sample 1:
http://www.virustota...b5fe-1254334125
File Soft_88s2.exe received on 2009.09.30 18:08:45 (UTC)
Result: 6/41 (14.63%)
Malware sample 2:
http://www.virustota...b5fe-1254330166
File Soft_207.exe received on 2009.09.30 17:02:46 (UTC)
Result: 7/41 (17.07%)
Malware sample 3:
http://www.virustota...a76d-1254330677
File setup_build7_201.exe received on 2009.09.30 17:11:17 (UTC)
Result: 4/41 (9.76%)
Malware sample 4:
http://www.virustota...ab34-1254331243
File setup.exe received on 2009.09.30 17:20:43 (UTC)
Result: 9/41 (21.95%) ..."

(Screenshots showing Google Wave-related Google search results and Rogue AV at the Websense URL above.)

[AplusWebMaster]

FYI...

SEO poisoning - Samoa Earthquake News leads to Rogue AV
- http://www.f-secure....s/00001779.html
September 30, 2009 - "It seems SEO poisoning is the current "trend" for directing users to rogue antivirus software. These SEO poisoning attacks usually exploit major news topics, the latest of which is the September 29th earthquake off Samoa, which triggered a tsunami warning for numerous South Pacific islands, as well as Hawaii. Readers looking for news articles on the earthquake may come across this page in the Google search results... On clicking the link, the user is redirected to a series of sites via 302 redirects... The final landing page warns the user that their "system is infected"... The Windows Security Center warning looks authentic enough, but it is fake. Users are prompted to download rogue antivirus software. As usual, be careful when browsing.,,"

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

Halloween rogue AV
- http://www.eset.com/...r-search-engine
October 29, 2009 - "... the fake/rogue AV gang have started on their Halloween special, and this time... it's the same old SEO (Search Engine Optimization) poisoning ploy... I'm looking through a list of keywords currently being used by a particularly prolific Black Hat SEO campaign which has been updated to reflect the sort of stuff that people – and certainly American people - are likely to be searching for at this time of year. I'm looking through a list of thousands of words and phrases, so I'm not going to list them all here... However, if you use common search engines like Google to look for terms like those above and a great many others, you're likely to find a lot of links at the top of the results lists that lead you to fake security software. This claims to find imaginary malware on your system, with the ultimate intention of defrauding you of money and possibly of harvesting your credit card details, for example..."

- http://blog.trendmic...-online-tricks/
Oct. 30, 2009

Edited by AplusWebMaster, 30 October 2009 - 05:23 AM.

[AplusWebMaster]

FYI...

More FAKE AV - SEO poisoning
- http://blog.trendmic...lead-to-fakeav/
Nov. 18, 2009 - "TrendLabs threat analysts found another FAKEAV campaign piggybacking on the Leonid meteor shower and the much-anticipated sequel to the Twilight saga, New Moon. Users searching for news and updates using the keywords “meteor shower tonight november 16 time” and “New Moon premiere live stream” end up with poisoned search results. These results redirect users to fake online scanners, which ultimately lead to the download of a FAKEAV variant detected by Trend Micro as TROJ_FAKEAV.MET... FAKEAV is notorious for capitalizing on hot news and popular searches via SEO poisoning. Hence, users are advised to be wary of suspicious-looking URLs when conducting online searches..."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

Redirects to scareware - Thousands of web sites compromised
- http://blogs.zdnet.c...ecurity/?p=4947
November 17, 2009 - "Security researchers have detected a massive blackhat SEO (search engine optimization) campaign consisting of over 200,000 compromised web sites, all redirecting to fake security software (Inst_58s6.exe)*, commonly referred to as scareware. More details on the campaign: The compromised sites are using legitimately looking templates using automatically generated bogus content, with a tiny css.js** (Trojan-Downloader.JS.FraudLoad) uploaded on each of them which triggers the scareware campaign only if the visitor is coming a search engine listed as known http referrer by the gang - in this case Google, Yahoo, Live, Altavista, and Baidu... the massive blackat SEO campaign has been launched by the same people who operate/or manage the campaigns for the Koobface botnet..."
* http://www.virustota...687e-1258481993
File nnovv_Inst_312s2.exe received on 2009.11.17 18:19:53 (UTC)
Result: 1/41 (2.44%)
** http://www.virustota...63be-1258479383
File css.js received on 2009.11.17 17:36:23 (UTC)
Result: 7/41 (17.07%)

- http://blog.trendmic...lead-to-fakeav/
Nov. 19, 2009

- http://blogs.zdnet.c.../?p=4297&page=2
"... the claims that “You’re Infected!; Windows has been infected; Warning: Malware Infections founds; Malware threat detected” should be considered as a fear mongering tactic..."

Edited by AplusWebMaster, 19 November 2009 - 06:59 AM.

[AplusWebMaster]

FYI...

Brittany Murphy's death - SEO Poisoning
- http://securitylabs....lerts/3514.aspx
12.21.2009 - "Websense... has discovered that Google top searches on "Brittany Murphy death" will return rogue AV Web sites. The Hollywood actress died suddenly during the weekend. Users will be redirected to malicious domains if they click the matches with a referrer from search engines like Google. The malicious domains try everything to convince people that they are real AV software Web sites, so that users download and execute the fake software offered. There are now a lot of variants available, typically named install.exe*, and at the moment it seems they haven't attracted much attention from AV companies..."
* http://www.virustota...5aee-1261366024
File install.exe received on 2009.12.21 03:27:04 (UTC)
Result: 10/41 (24.39%)

(Screenshots available at the Websense URL above.)

- http://www.f-secure....s/00001842.html
December 21, 2009

Edited by AplusWebMaster, 21 December 2009 - 07:52 AM.

[AplusWebMaster]

FYI...

Office.Microsoft.Com search results can lead to Rogue AV
- http://securitylabs....lerts/3519.aspx?
01.08.2010 - "Websense... has detected that search results on office.microsoft.com can lead users to a Rogue AV page. Users looking for information related to help with Office products on Microsoft’s own site are being targeted. Users may be unaware that, when they type in search queries on the site, Microsoft scours its own Web site for results, but also pulls in results from the broader Web. As the URL for the search results begins with http ://office.microsoft .com, this is particularly troubling for users who trust sites simply because of their reputation. The malicious URL is a redirect to a very real-looking virus scan and warning page presented by a Rogue AV program (SHA1: 6489c54e30af18801a9e83a5855fa639f3bae0b8). The executable used in the exploit is currently recognized by 1 of the 41 AV engines on Virus Total*...."
* http://www.virustota...ad3d-1262943359
File Setup55530_2045-10.exe received on 2010.01.08 09:35:59 (UTC)
Result: 1/41 (2.44%)

(Screenshot/video available at the Websense URL above.)

[AplusWebMaster]

FYI...

Black Hat SEO Ice Skating Car Video
- http://securitylabs....lerts/3522.aspx?
01.11.2010 - "Websense... has discovered that a popular video called "Paignton Ice Skating for Cars" has been targeted by both SEO poisoning attacks as well as Web spam. As a wave of icy weather is currently hitting large parts of Europe, the video has proved to be very popular, with currently more than 850,000 hits on Yahoo Video. A different uploaded version on YouTube has had more than 1 million views so far. Criminals have used the video's popularity as an opportunity to spread rogue anti-virus programs by poisoning the search results of major search engines. When the term "ice skating car" is searched via Google, nearly half of the search results on the first page redirect the user to rogue anti-virus sites. Clicking any of those links takes the user to a Web site with the message: "Your PC is at risk of virus and malware attack." That's an old trick used to lure unsuspecting users to download a fake anti-virus installer... The black hat search results in Google -redirect- the user through several sites, most of which are hosted in Russia, before finally landing in the rogue anti-virus site. The criminals often change the second site in the redirection chain in order to make it harder to detect. The file has a relatively low AV detection rate*..."
(Screenshot available at the Websense URL above.)
* http://www.virustota...657b-1263209375
File packupdate_build6_294.exe received on 2010.01.11 11:29:35 (UTC)
Result: 10/41 (24.39%)

[AplusWebMaster]

FYI...

Black Hat SEO - Haiti Earthquake
- http://securitylabs....lerts/3524.aspx
01.13.2010 - "Websense... has discovered that searches on terms related to the recent earthquake in Haiti return results leading to a rogue antivirus program. The earthquake, which happened on Tuesday near Port-au-Prince, had a magnitude of 7.0 and is said to be the most powerful earthquake to hit Haiti... People around the world are searching the Internet to find the latest updates on this issue, wanting to know how to make charitable donations, trying to discover the extent of the calamity through photos or videos, and looking to see what their favorite artists and musicians are saying about the disaster. Unfortunately, the bad guys use major crises and events like this to spread their malicious code*..."
* http://www.virustota...0e89-1263413836
File Setup_88s1.exe received on 2010.01.13 20:17:16 (UTC)
Result: 4/41 (9.76%)
* http://www.virustota...0458-1263404507
File packupdate_build9_290.exe received on 2010.01.13 17:41:47 (UTC)
Result: 8/41 (19.51%)

(Screenshots available at the Websense URL above.)

- http://www.m86securi...trace.1217~.asp
January 13, 2010

Edited by AplusWebMaster, 13 January 2010 - 07:35 PM.

[AplusWebMaster]

FYI...

Searches for free printable items lead to mal-domains
- http://blog.trendmic...to-mal-domains/
Jan 26, 2010 - "... blackhat SEO attack that uses strings with the phrase “free printable” to hijack search traffic by directing it into a rogue search engine. Our researchers have found that search engine queries using the string “free printable” yield results that include compromised websites. The said compromised websites are rigged with malicious JavaScripts detected as JS_REDIRECT.SMF and JS_REDIRCT.MAC. JS_REDIRECT.SMF and JS_REDIRCT.MAC triggers a set of redirections whenever the compromised sites are visited. The redirections ultimately lead to a rogue search engine, which by default puts the originally used search string into its own search text box. As of now, the cybercriminals’ goal in all this seems to be hijacking search traffic from search engines, and -redirect- them into their own search engine to earn them money. If it stays as such is not yet known, but users need to be wary, since it would be very easy for cybercriminals to change the final landing site of the redirections to a malware-hosting site... It is very possible that this blackhat search engine optimization (SEO) attack takes advantage of the fact that the interest for free printable items is relatively high, especially in South Africa and the United States. We are strongly advising users -not- to use search strings that include the word “free printable,” as the results may lead to malicious websites. We are currently monitoring this attack and will update this entry for developments..."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

More SEO poisoning attacks...
- http://isc.sans.org/...ml?storyid=8098
Last Updated: 2010-01-27 23:24:06 UTC - "... Recently we got details about two active SEO poisoning attacks for two specific hot topics:
* A new Facebook unnamed app. Sample search term: "facebook unnamed app".
- http://countermeasur...ads-to-malware/
* Today's Apple tablet announcement, called iPad. Sample search term: "apple tablet announcement".
- http://securitylabs....x?cmpid=slalert
The related search terms for these two hot topics in Google are returning top results pointing to sites that distribute malware. Apart from the common defense-in-depth practices regarding client and end point protection, one of the best recommendations is to demonstrate this type of attack on your security awareness programs, so that users do not blindly trust any output they get from search engines."

[AplusWebMaster]

FYI...

Various Olympics Related Dangerous Google Searches
- http://isc.sans.org/...ml?storyid=8239
Last Updated: 2010-02-15 20:26:18 UTC - "We have received reports about the (sadly expected by now) search engine poisoning for various Olympics related terms. For example the name of the killed Georgian luge athlete is used to redirect unsuspecting users to fake anti virus and other malicious content. The redirect is browser dependent. Firefox is usually redirected to "qooglesearch .com" (note the 'q' as first letter instead of a 'g'). It is probably advisable to watch out for DNS requests for this domain to spot possible infections. Internet explorer is redirected to a wide range of different domains which apparently are picked at random..."

(Video at the URL above: 2:44)

Edited by AplusWebMaster, 15 February 2010 - 03:00 PM.

[AplusWebMaster]

FYI...

Kneber = Zeus...
- http://www.symantec....ogs/kneber-zeus
February 18th, 2010 - "... Symantec has also observed cybercriminals seeking to exploit computer users’ fears—spurred by all of the coverage that this threat is receiving* — by poisoning search engine results for keywords such as “Kneber Botnet Removal.” In fact, when analyzed by Symantec, the highest ranked result on Google using these search terms led to a site hosting rogue antivirus software..."
* http://forums.whatth...=...st&p=634237

[AplusWebMaster]

FYI...

Bloombox - Blackhat SEO poisoning
- http://securitylabs....lerts/3554.aspx?
02.22.2010 - " Websense... has detected that search terms related to the Bloom Energy and its Bloombox Fuel Cell have become the latest target for Blackhat SEO poisoning attacks. Bloom Box is a breakthrough technology in the energy sector that could revolutionize the way electricity is generated today. As people become interested in finding more information on this technology, related search terms are currently gaining momentum, and as they do so Blackhat SEO attacks are starting to climb up the search result listings. At the moment, according to the VirusTotal report only 10% of antivirus products are detecting the threat*..."
* http://www.virustota...9f9c-1266851237
File mes_fs9.exe received on 2010.02.22 15:07:17 (UTC)
Result: 4/41 (9.76%)

(Video at the Websense URL above.)