Monday, September 28, 2009

Blackhats Quickly Saturate Google With Tropical Storm Ondoy

Since tropical storm Ondoy hit the Philippine Capital on Saturday, attackers have wasted no time planting malicious pages claiming to host videos of the historic disaster. The city of Manila saw flooding on a level that hasn't been seen in decades and the pictures are jaw dropping. But for surfers looking to see those videos, searching on Google and following search results can be dangerous.

The actual attack is nearly identical to the attack reported last week where pages are artificially inflated in PageRank, driving them to the top of the search results. In one case, 8 of the 10 top results were found to be malicious. The actual malicious pages are only served up when users come from Google and at this time, anti-virus coverage for the installed malware is very low.

Many of these search results will take the user directly to a Fake AV download while others are more stealthy.

One of the more covert sites is hxxp:// When opened using Google the user is shown the movie window with a play button. The play button is actually a link to hxxp://

The user is prompted to install a missing "Active-X Patch" to view the video which leads them to the final payload, Fake AV software. There is no mention of anti-virus software and the user is led to unwittingly install the malicious file.

When Google search was not used to access the page the video image and link to the malicious download did not appear.

[Note: during research by eSoft, this page did not return malicious content when directly viewed, but extreme caution should still be taken before visiting any websites listed in this post.]

This is one of many trending search terms being targeted, including the few examples below.
  • Tim Tebow
  • Jenny Slate
  • Google Birthday
  • Roman Polanski
  • Yom Kippur
PageRank bombs using Google trending topics is one of the newest ways blackhats are spreading malware. The attackers are very responsive to the latest news and gossip, quickly posting new malicious sites to infect unsuspecting users.

Image Source:

No comments: