Monday, September 28, 2009

Blackhats Quickly Saturate Google With Tropical Storm Ondoy

Since tropical storm Ondoy hit the Philippine Capital on Saturday, attackers have wasted no time planting malicious pages claiming to host videos of the historic disaster. The city of Manila saw flooding on a level that hasn't been seen in decades and the pictures are jaw dropping. But for surfers looking to see those videos, searching on Google and following search results can be dangerous.

The actual attack is nearly identical to the attack reported last week where pages are artificially inflated in PageRank, driving them to the top of the search results. In one case, 8 of the 10 top results were found to be malicious. The actual malicious pages are only served up when users come from Google and at this time, anti-virus coverage for the installed malware is very low.

Many of these search results will take the user directly to a Fake AV download while others are more stealthy.

One of the more covert sites is hxxp:// When opened using Google the user is shown the movie window with a play button. The play button is actually a link to hxxp://

The user is prompted to install a missing "Active-X Patch" to view the video which leads them to the final payload, Fake AV software. There is no mention of anti-virus software and the user is led to unwittingly install the malicious file.

When Google search was not used to access the page the video image and link to the malicious download did not appear.

[Note: during research by eSoft, this page did not return malicious content when directly viewed, but extreme caution should still be taken before visiting any websites listed in this post.]

This is one of many trending search terms being targeted, including the few examples below.
  • Tim Tebow
  • Jenny Slate
  • Google Birthday
  • Roman Polanski
  • Yom Kippur
PageRank bombs using Google trending topics is one of the newest ways blackhats are spreading malware. The attackers are very responsive to the latest news and gossip, quickly posting new malicious sites to infect unsuspecting users.

Image Source:

Monday, September 21, 2009

Google Users Targeted By New Malicious Websites

eSoft’s Threat Prevention Team has been tracking compromised sites that host PageRank Bombs since 2008.  The attacker hacks a site, but instead of putting exploits on the hacked site, they put links to other websites in order to boost the search result ranking on various search engines.  Initially this was being used for ad sites, porn sites, and pharmafraud sites.  Now, however, it is being used to boost the results of malicious sites, but with a new twist that targets Google users.

The sites whose search engine ranking is being boosted are now serving up malware through a complex series of redirects.  However, the redirects and the malware are only served up if the user gets to the site after clicking the link on Google.  Going directly to the malicious site (by pasting into your browser directly) results in a harmless page.

For example, using Google, a search for “nhl all-time scoring leaders” returns several malicious results on the first page (in the 5th, 6th, 7th, 8th and 10th positions). 

Going to the website, hxxp://, directly results in an innocuous page like this:

[Note: during research by eSoft, this page did not return malicious content when directly viewed, but extreme caution should still be taken before visiting any websites listed in this post.]

However, clicking the link in the Google search results will bring the user to a web site using a common Rogue Anti-Virus template that alerts the user that their PC is infected and prompts unsuspecting users to download what is really a Trojan:

The Trojan being downloaded at this point has only a 7% detection rate by anti-virus software with Microsoft, NOD32 and Panda detecting.

Some of the sites being used include:

These redirect through some URLs including:

As far as eSoft’s TPT can tell, the referrer must have this string,, in it  and the User-Agent must indicate a Windows machine or the malware will not be delivered.  It does not appear that users of other search engines or operating systems are yet being targeted.

Wednesday, September 9, 2009

Fake Blogs Serve Rogue Malware

eSoft’s Threat Prevention Team has uncovered a massive amount of recently exploited websites, all redirecting to Rogue AV malware.

At the time of writing, Google shows over 720,000 compromised URLs.  According to VirusTotal [], only two of forty-one anti-virus companies are currently detecting the malware. 

Credit also goes to Edgar ( who independently discovered and blogged about this same threat.

The compromised sites frequently contain fake blogs on the topics of entertainment and celebrities such as Britney Spears (see screenshot).


Upon visiting the site, an obfuscated javascript file redirects the visitor to the one of several sites that host the malware payload.  Multiple redirect domains are being used to further obfuscate the final destination and all of these are currently flagged as malicious by eSoft (most have been set to malicious for over a week).

Unprotected users will see a pop up window that performs a fake system scan. The user is then notified that they are infected with several threats and prompts to download the supposed cure, which is in fact the malware.  This scheme is all too common and eSoft’s Threat Prevention Team has been detecting a dramatic increase in this scam through August.  This latest appears to be the most widespread to date. 

The malware payloads change often and anti-virus detection is lagging behind.  eSoft recommends multiple layers of anti-virus at the desktop and gateway in combination with secure web filtering. A secure web filter protects users by blocking the malware distribution points even as the malware changes to evade anti-virus detection.