Evolution of SEO Poisoning
In previous blogs we have discussed how malware can exploit a search engine’s indexing features in order to spread malicious content. Recently we have observed a massive compromise of websites under the .ch and .nl top-level domains, aimed at performing a massive search engine optimization (SEO) attack to spread fake antivirus applications.
To keep track of pages on the Internet, search engines use automated web scanners, called crawlers or spiders. Their purpose is to find every possible Web page on the net, read its content, and then index it for future user searches. Attackers often try to exploit this feature in order to trick a search engine into associating a malicious Web page with very common search terms. This attack will cause the malicious Web page to appear among the search results in the search engine’s results page, massively increasing the chances of users visiting it.
You can watch the following video for a demonstration of the attack and further details:
The script seen in the video uses some clever tactics to recognize a crawler’s activity versus that of a user, and to respond only to such kind of requests. Any other request is ignored and the script will generate a “page not found” error, in order to conceal itself by automated analysis or similar activities.
This specific attack is not limited to HTML-based Web pages, but it also affects image searches. As shown in the video, we were able to find several images that, when clicked, linked back to malicious Web pages. This shows that the attack can be effective in increasing the common user’s exposure to such malicious websites. Fortunately, we have observed that the search engines are quick to react to these sites when they are discovered, and the attack is blocked quickly.
Despite the width of exposure, the attack relies on social engineering and still needs a user to acknowledge the results, download, and run an executable. Once again, good sense is the best prevention: do not run anything that you do not trust, especially from sources who claim you are infected with numerous Trojans. If you are in doubt, search for more information or only install software from legitimate companies that you know and trust. The latest antivirus and IPS signatures for Symantec antivirus products will also prevent this attack from succeeding.