Those using Google, Yahoo! and other search engines face a new danger according to the folks at Sunbelt Software: seeded search results that will redirect the user to sites rigged with malware.
The Sunbelt blog describes tens of thousands of individual pages its researchers found that have been meticulously created with the goal of obtaining high search engine ranking. Just about any search term you can think of can be found in these pages, wrote Sunbelt researcher Adam Thomas.
“For months now, our research team has monitored a network of bots whose sole purpose is to post spam links and relevant keywords into online forms (typically comment forms and bulletin board forums),” he wrote. “This network, combined with thousands of pages … have given the attackers very good (if not top) search engine position for various search terms.”
Thomas said many malicious pages contain an IFRAME link designed to exploit vulnerable systems. Those unlucky enough to encounter such links while browsing on vulnerable machines risk becoming infected with a family of malware Sunbelt calls Scam.Iwin.
“With Scam.Iwin, the victim’s computer is used to generate income for the attacker in a pay-per-click affiliate program by transmitting false clicks to the attacker’s URLs without the user’s knowledge,” Thomas said. “The infected Scam.Iwin files are not ordinarily visible to the user. The files are executed and run silently in the background when the user starts the computer and/or connects to the Internet.”
Scam.Iwin is also used to load malware for other groups, he noted. One such group is associated with the notorious RBN (Russia Business Network).
In a separate Sunbelt blog posting, company president Alex Eckelberry described a large amount of seeded search results leading to malware sites and using common, innocent terms. One researcher landed on a malware site while searching for alternate firmware for a router, he noted.
“Clicking on these links will expose the user to exploits which will infect a vulnerable system (in other words, a system that is not fully up-to-date with the latest patches),” he wrote.
Google has been notified, Thomas said.
UPDATE: Sunbelt confirmed late Wednesday that Google has removed all of the malicious sites.
UPDATE 2: Google’s security team admits the malicious activity Sunbelt discovered is probably the tip of the iceberg, and they’re asking for the public’s help in flagging additional sinister sites. Fom the Google security blog:
“Currently, we know of hundreds of thousands of websites that attempt to infect people’s computers with malware. Unfortunately, we also know that there are more malware sites out there. This is where we need your help in filling in the gaps. If you come across a site that is hosting malware, we now have an easy way for you to let us know about it. If you come across a site that is hosting malware, please fill out this short form. Help us keep the internet safe, and report sites that distribute malware.”