Video Screencast Help
Security Response

Gromozon Is “Live” (Just in Italy)

Created: 07 Mar 2007 08:00:00 GMT • Updated: 23 Jan 2014 18:51:35 GMT
Elia Florio's picture
0 0 Votes
Login to vote

Windows Live is “everything you need, allin one place” and it looks like the search engine really does know whatexactly it is that Italians need! Today, we came across a story thatwas reported by Sunbelt about a takeover of the Italian version of theWindows Live search engine. We decided to do a bit more investigatinginto those rumors.

At the moment, the problem is that when someone searches acombination of specific Italian keywords on the Windows Live portal,that person will always get a set of weird links in the search results.These weird links will most likely be related to the Linkoptimizer gang(aka Gromozon)—so this likely means that the Gromozon gang has managedto take over and manipulate the search results of Windows Live bygetting their links to end up on the top of the search result lists.

This type of issue is not new. Google was already targeted by thesame gang during the first Gromozon outbreak in 2006, as we reported inour previous blog post. It’s a “Google bomb” attack or, in this case, we should call it a “Live bomb” attack. To quote Wikipedia: “Googlebomb (also referred to as a 'link bomb') is Internet slang for acertain kind of attempt to influence the ranking of a given page inresults returned by the Google search engine, often with humorous orpolitical intentions."

Some blog readers were wondering how the Gromozon gang was able toaccomplish this. Initially, the bad guys would have meticulouslyselected a list of “hot” keywords—words that referenced things everyoneneeds or words that are just very popular on search engines. And, thelist is huge. We’re reporting on only a sample set of those keywords asan example, shown below (with a rough English translation):


ricetta baci perugina (popular Italian chocolates)
contratto collettivo colf (type of work contact)
finanziamento online (online mortgage)
cerco lavoro nave crociera (search job ship cruise)
fastweb wind tele2 (some popular Italian mobile providers)
traduzione testo canzone (translation lyric song)
ministero sanita iscrizione (health subscription)
modella calendario (model calendar)
giubbotto pelle (jacket leather)
incontro annuncio personale (personal announcement)

Next, the gang registered a large number of domain names using otherItalian words. They created those new domains with different Web spaceproviders, using names that are permutations or modifications of thekeywords mentioned above. The URL format used by the gang looks similarto the following link:

http://[number].[random_italian_word].com/[keywords_permutation].

For example, if we consider the word “giubbotto” (jacket), we caneasily spot all of the following permutations that are associated withGromozon domains:

hxxp://7.altruidismala.com/giubbottouomoinpelle hxxp://19.unavisita.com/giubbottouomopellehxxp://9.siscambiavano.com/giubbottouomopradahxxp://8.divertivano.com/giubbotto-nikehxxp://20.riputazione.com/giubbotto-salvataggiohxxp://10.suasalute.com/giubbottosmanicatohxxp://5.irradiazione.com/napapijri-giubbottohxxp://10.proporzione.com/giubbotto-belstaffhxxp://3.madrivolesti.com/giubbottouomoinpellehxxp://2.costretto.com/giubbotto-woolrich-cordura hxxp://1.piantandosi.com/giubbotto-dainese hxxp://9.galantuomini.com/giubbotto-moto hxxp://10.cercassero.com/moncler-giubbottohxxp://11.stendevasi.com/giubbotto-uomo-woolrichhxxp://7.ecavaliere.com/giubbottouomoinpellehxxp://16.divertivano.com/giubbotto-moto-abbigliamentohxxp://12.riguarda.org/giubbottowoolrichhxxp://19.circostanze.com/giubbotto-refrigiwear

Also in this case, the list of possible URLs we have seen on the Webis huge! At this stage the gang has domain names with “hot” keywordsthat already ensure a good score by the search engine, but to have themaximum ranking they also need to use some other tricks. So, on each ofthese Web spaces they uploaded a Web page that includes links tolegitimate sites that are related to a specific keyword (e.g. jacket).Each page also contains encrypted Javascript, which works as redirector(it takes users over to a different Web site). Interestingly, all ofthe pages display the colors of the Italian flag (green, white and red)as a background.

The left column of this page has a long list of URLs that link toother weird pages. The goal is to create a sophisticated and intricatespider web of self-referenced Web pages that will get the highest rankfrom Internet search engines. That’s because search engine algorithmsanalyze how pages are linked using graph theories. The more a page isreferenced by external links, the more popular this page becomes. Theweb spider structure (the structure of pages like the ones created bythe Gromozon gang) is used to trick the search engines into displayingthe specific results the attackers want. We observed that the problemaffects Windows Live for Italy and Germany, and also some other Italianversions of other search engines (e.g. Lycos), but with a lower impact.

What is the master plan of the Gromozon gang? Well, we don’t knowyet, but we are expecting something even more sinister to appear sooneror later. At the moment we know that the encrypted Javascript embeddedin those weird pages is redirecting users to the domains hxxp://www.itzzot.cc and hxxp://e1.extreme-dm.com.Fortunately, neither of these domains is hosting any malicious files orexploits at the moment—they just track visitors. We are going to keepan eye on this and eventually post an update if something maliciousappears on those sites.

Thanks to Sunbelt for the original blog postabout this story. Hopefully the Windows Live team is now aware of theissue and is working to set up proper filters for those false results.