Google Trends Abused to Serve Malware
Wednesday February 25, 2009 at 3:39 pm CST
Posted by Craig Schmugar
The other day a worm, often referred to as “Error Check System” was spreading on Facebook. In fact if you searched for information on this threat, your search results were poisoned to lead unsuspecting victims to a site that attempts to install a rogue anti-spyware Trojan. Some folks blogged that this search connection was “too much of a coincidence“, and that the Facebook part of the threat was a “red herring“. I do not believe this is the case, and here’s why.
Last week I was following up on a comment made to the McAfee Avert Labs blog. The URL provided by the visitor (**********.******.bee.pl/waledac_botnet.html) redirected to another site that attempted to install the same trojan. Running a search on part of that URL yielded hundreds of search results, many that were placed high up on Google’s results. The summary text was relevant for the search term and it’s clear that those behind the redirects are manipulating the internet (Google); by not only getting their newly created sites to appear high on the search results page, but also to display relevant text in the page summary section, and for the hottest terms. Here’s one example, ironically related to the recent Gmail outage.
 
You’ll also notice that the page summary is identical to the top search result, taken from Google News. Looking at more search results it is clear that the attackers are targeting popular search terms.
 Other searches show the results using all lowercase titles, the same as used by Google Trends. In fact, checking some of the top Google Trends links we can see that the abusers are hitting it (ash wednesday 2009 was the #1 search term at the time of this writing, this is image was edited to fit on the blog).
The notion of malware distributors abusing Google Trends is not new, and received some attention in October of last year. However, I do not recall previous attacks being as aggressive as the current ones, being distributed across numerous sites, targeting many many high-profile search terms, and having the poisoned links regularly appearing high up in the result pages.
Once a user visits one of these poisoned links, the destination page references a script file (style.js), which is obfuscated.
Decoding the script shows that it redirects the user based on the referring URL being “google”,”msn”,”yahoo”,” comcast”,”aol.com”. This is just one of the many ways the bad guys focus their attacks on potential victims, while making it a tiny bit more difficult for others to discover it. Once you’re redirected, it’s situation normal for the attackers, various fake alert and scanning messages and windows appearing, ultimately leading to the installation of a FakeAlert trojan (such as one of the 9,500+ known binaries identified by McAfee as FakeAlert-AB).
If you made it down to the bottom of this blog, I probably don’t need to remind you to look carefully before you click, on the Web.
February 25th, 2009 at 16:35
Hey Craig. Nice blog entry – makes for interesting reading.
Thought you’d like to know that the link about the “red herring” is broken (too many http:’s!!)
It should be http://www.sophos.com/blogs/gc/g/2009/02/23/sting-tail-error-check-system-facebook-scare/
Cheers
Graham
February 25th, 2009 at 19:58
Graham,
The link has been updated. Thanks for catching it!
February 26th, 2009 at 02:32
Very nice post Craig.
Just one note: I blogged that it was “ALMOST too much of a coincidence”.
I think we agree that there is no direct link between this particular Facebook app and search results.
I just don’t rule it out completely.
Regards,
Sean
February 26th, 2009 at 21:29
[...] researcher Craig Schmugar points to the recent Gmail outage as an example. When that happened, many were searching for the [...]
February 27th, 2009 at 16:27
[...] researcher Craig Schmugar points to the recent Gmail outage as an example. When that happened, many were searching for the [...]
February 27th, 2009 at 22:20
[...] The other day I blogged about Google Trends being abused to serve malware. The attackers were not only targeting the most popular search terms, but also [...]
February 28th, 2009 at 10:59
[...] : McAfee – Posted by Craig [...]
March 2nd, 2009 at 04:59
[...] McAfee and Trend Micro are warning about a recent bump in the use of SEO (search engine optimization) [...]
March 2nd, 2009 at 19:40
Quite interesting post, of course! I just was checking this out with all different possibilities I could think of. I noticed that the same results occur even when I use the other search engines – MSN, Yahoo. So, how did you conclude that the google trends were manipulated? – just curious to know…
March 2nd, 2009 at 20:17
Anand,
Google Trends wasn’t manipulated so much as Google’s page ranking. Once they were successful at manipulating the page ranking they then went after the most commonly searched terms.
As for connecting the dots, there were a couple of elements that lead to the conclusion.
1) The high Google page ranking (which I did not observe with other search engines…the pages are there and indexed, but not placed as high).
2) All the Titles were in lowercase, the same used by Google Trends; and correlating those titles against the Google Trends “Hot” lists.
3) The duplicating of high-ranking content via Google News supported the idea that Google was the target
4) The fact that Google is the search king
5) The apparent lack of equivalent Trending functionality in the other search sites.
Other points later supported the idea of Google Trends abuse, such as the stats I posted in my follow-up blog.
March 3rd, 2009 at 08:28
[...] McAfee and Trend Micro are warning about a recent bump in the use of SEO (search engine optimization) [...]
March 4th, 2009 at 03:39
Because this IS a .exe file – it won’t affect my mac right?
March 26th, 2009 at 05:58
I guess I clicked on a link in a search and the malware 2009 appeared in my tray. I continued to close them by the x but somehow, it continues to appear. I went into add and remove, it uninstalled but not really. I went into my program files, it denies me access. I us Google for almost everything in my company as well and I have McAfee through Comcast. What should I be searching on, working on and now how is it removed
July 7th, 2009 at 15:33
[...] scareware, became rampant. These Trojan families are typically spread via drive-by downloads, search-engine-optimization poisoning, spam campaigns, and clever social engineering. Having these methods discussed in earlier blogs, [...]
August 18th, 2009 at 09:35
Craig,
Nice blog. But what I want to know is what does McAfee plan to do to address this on the Enterprise level? To date it appears the only thing on the market for monitoring social networks are parental controls software on the desktop. What about an Enterprise solution? Does DLP address some of the concerns?
August 26th, 2009 at 10:29
Dave,
This blog is more about search engine abuse and less about social networks. The search results poisoning is addressed with domain and URL reputation products, while the destination of malicious links is covered by anit-virus and host & network intrusion pevention.
As far as monitoring social networks, it depends on how heavy handed you want to be. Domain filtering and access controls is one option. AV and NIPS & HIPS is in scope for many attacks as well. DLP does play a role, but that’s more about outbound than inbound threats.
September 9th, 2009 at 11:00
[...] [...]