Search engines are free, powerful and efficient tools. But the same tools can be used to exploit the unsuspecting visitor who trusts the search results. Malicious SEO (Search Engine Optimization) is one such tactic where criminals spread malware through infected websites and poisoned search results. (This is sometimes referred to as index hijacking or SEO poisoning: See also some of our previous blogs such as http://www.eset.com/threat-center/blog/2009/09/06/fake-antimalware-old-dogs-new-tricks and http://www.eset.com/threat-center/blog/2009/08/26/web-searches-and-dangerous-ladies.)
Recently, cybercriminals have used this trick on searches related to Microsoft and Google announcements. (http://www.scmagazineuk.com/Malicious-links-detected-on-Microsoft-Security-Essentials-searches/article/151136/) While searching for “how to get Google wave invitation” ,“Google wave invite”, “Microsoft security essentials download” , the page results that come up in Google consist of rogue results mixed with the legitimate ones, and blackhat SEO techniques ensure that malicious URLs turn up at or close to the top of the list. A few examples of these sites are:
www.[removed].org/members_upload/jac.php?google+wave+invite
www.[removed].com/wp-admin/includes/update-core/labyvacu/?qezopego=google-wave-invitations
www.[removed].com/elites/google-wave-invite.html

When a user clicks on any of the compromised web sites above, he is redirected to malicious websites using domain names such as computer-scanner02.com and scan-me-now.com. The end result and purpose is the same, to trick the user into believing his computer is infected and needs immediate action.

One such Rogue AV installs the Smart Virus Eliminator. To protect your computer and remove the detected threats, user has to pay a 6- month subscription fee of $49.99. To get an even better deal a Lifetime subscription for $79.99 can be purchased.

Rogue AV applies scare tactics and makes the user believe that he is infected with all kinds of malware when there is none. (See also Cristian Borghello’s paper “Free but Fake: Rogue Anti-Malware” at http://www.eset.com/download/whitepapers/Free_but_Fake.pdf.) The following screenshot was taken while the Rogue AV was in action. It looks like your Windows Explorer window and shows that it is “scanning” for malicious files.  After it completes the scan it prompts the user to download the “rogue” security software.

Upon executing these malicious applications further lookups to domains such as winnetworkstatus.com and freeavtest.com are made. These addresses are blacklisted by ESET.

The two SEO attacks happened a few hours apart, though there might be an interesting link. Common malicious domain names with different trailing numbers were used to download Fake AV in both cases. For example. computer-scanner21.com was the redirection target when searching for Microsoft Security Essential download sites, while the user was redirected to computer-scanner02.com when searching for Google wave invitations.

Inevitably, as  the news changes, the terms the cybercriminals use to catch the attention of their victims will change to something more topical.

Tasneem Patanwala
Malware Researcher