Cybercriminals syndicating Google Trends keywords to serve malware

Cybercriminals syndicating Google Trends keywords to serve malware

Summary: In an underground ecosystem that is anything but old fashioned when it comes to abusing legitimate web services, cybecriminals have started exploiting the traffic momentum, and by monitoring the peak traffic for popular search queries using Google's Trends, are syndicating the keywords in order to acquire the traffic and direct it to malware serving blogs primarily hosted at Windows Live's Spaces.

SHARE:
TOPICS: Security
15

Google TrendsIn an underground ecosystem that is anything but old fashioned when it comes to abusing legitimate web services, cybecriminals have started exploiting the traffic momentum, and by monitoring the peak traffic for popular search queries using Google's Trends, are syndicating the keywords in order to acquire the traffic and direct it to malware serving blogs primarily hosted at Windows Live's Spaces.

According to a recent advisory issued by Webroot :

"For the first time, hackers are capitalizing on the top news stories from Google Trends Labs, which lists the day's most frequently searched topics, which can include news of the Wall St. bail out or the presidential campaign," said Paul Piccard, director of Threat Research, Webroot. "These highly relevant news stories and videos are being posted to the hackers' fake blogs to increase the site's Google search rankings.

These fraudulent blogs contain several video links about the news story for which the users were originally searching. Once a user clicks on one of the video links, they are prompted to download a video codec that downloads a rogue antispyware program designed to goad the user into purchasing an illegitimate program that may put their personal information and data at even greater risk. "

Let's take a sample, and confirm the ongoing syndication of popular keywords in order to attract traffic to the several hundred malware serving blogs.

Search keywords blackhat SEO malwareA random keyword "on fire" like gwen ifill wheelchair indicates that 55 minutes ago a malware serving blog has been successfully crawled and is now appearing within the first 10 results thanks to the high page rank of Windows Live Spaces. Upon clicking the link, the user is exposed to the typical ActiveX Object Error message that is attempting to trick them into installing TrojanDownloader:Win32/Zlob.AMV with 10 out of 36 AV scanners currently detecting it (27.78%).

Rogue blogs blackhat SEO malwareMoreover, in order to ensure that their fake blogs will get crawled in the shortest time frame possible so that they can better abuse the momentum peak of the search query, they're naturally taking advantage of the pre-registered blogs at popular blogging platforms which Google is crawling literally in real-time. Syndicating this particular keyword in order to serve malware is not an isolated event, with several hundred currently active blogs doing exactly the same as soon as Google Trends refreshes its hourly feed.

Fake codec ZlobMalware campaigns have been taking advantage of pure SEO (search engine optimization), and mostly blackhat SEO techniques, during the entire 2008. The difference between the ongoing campaign and previous ones, is that the current approach has a higher probability of attracting generic search traffic since it's relying on the world's most popular search engine to tip them on what has the world been searching for during the past hour.

Topic: Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

15 comments
Log in or register to join the discussion
  • Large networks are increasingly...

    being used to comprimise the Internet. These commercial networks are too large to be managed by hands-on real people and are being managed by technology. Things are only going to get worse. If these networks can't be properly managed they need to be turned off. They may be all the rage but they are turning into a blight on the Internet.

    The issue discussed in this article plus the hacking of CAPTCHA's are two prime examples of non-human network management. These networks need to re-examine their methods or be shut down.
    bjbrock
    • So, What Are You Proposing?

      Human vetting of search trends? How would that help? Simply by delaying the activity described?
      PMC-CON
    • should be standards for large network systems

      Commercial networks are too busy outsourcing, crapsourcing, and reducing the real quality of their products behind the veneer in order to scrape every penny out of it to care about the effect on the infratructure and users as a whole.
      opcom
  • RE: Cybercriminals syndicating Google Trends keywords to serve malware

    I got nailed by this about a month ago. Just about every Windows Live Space, that just has a picture and a video link are connected to this botnet. It took 3 days and a host of download.com programs to try before malwarebyte did finally take out the rogue programs. It replaced my background picture, knocked out the screensaver and dropped more ads than I have seen in the past 3 years combined, in just those 2-3 days. Visious little program that I had come l-l this close to having to reinstall my entire operating system. It is a vicious program and these progenitors need to be taken out. And Soon.
    alandee4
  • RE: Cybercriminals syndicating Google Trends keywords to serve malware

    Can someone get Microsoft to do anything about their blogs and for their domain livefilestore.com? I have complained and complained and complained to Microsoft and even to the FTC about Microsoft's lack of response to this problem and nothing is ever done. The only thing I get back from Microsoft is that the links on their "live" domains don't point to a site that they host and they can't (read won't) do anything about it.
    stephke
  • RE: Cybercriminals syndicating Google Trends keywords to serve malware

    I understand the problem and have been victim to it. But instead of complaining, can one of the repliers to the story identify what downloads worked to shake off the malicious software? My business name has been hijacked by several of these programs.
    fudge2216
    • You need an in depth defense to fight this kind of threat..

      The old "super suite" opproach isn't working anymore. Just going to ZDNet's sister CNET and looking at the user ratings of download software can get you far.

      The last time I was attacked by a Google link and these conditions mitigated it:

      1. I was logged in as a restricted user.

      2. Site Advisor had a question mark by the link but I clicked on it anyway - big mistake!

      3. Secunia PSI helped me keep my Adobe Reader up to date and the malware attempted to use past vulnerabilities to gain administrative control, but was unsuccessfull after three attempts.

      4. ESET NOD32 nailed the culprit instantly upon coming through the firewall, and slammed it in every one of the three attempts to attack.

      This along with many others like Spyblaster, Spybot Search & Destroy, Comodo Firewall Pro,Snoopfree Privacy Shield, CCleaner, a good host file blocker(recommended by TechRepublic)which will sometimes prevent the redirects cause by bad website practices; and many more. I'm just naming a few.

      There are also good programs listed at CNET(download.com) that can keep your private information both off your hard drive or encrypted so it can't be absconded. The only problem with these programs is they have security vulnerabilities of their own, so I uninstall them immediately after removing the information; and occasionally reinstall to check for potentially damaging personal data on a scheduled basis.

      I don't go for the programs that simply keep cookies off IE 7 or other browser, or are simply enhancements to privacy protection already included in IE 7. I use only utilities that literally block the data from leaving the computer in the first place like the ones purchased with PC-cillin or Norton.

      These programs block data from leaving port 80 on non SSL sessions, Internet Messaging, or email. Both Trend and Symantec have become too unwieldy for me, though, so I just delete the data from my computer and use iVault(Comodo) to enter the information on the web. Some people like the paid versions from other vendors better.
      JCitizen
  • RE: Cybercriminals syndicating Google Trends keywords to serve malware

    OpenDNS Baby, OpenDNS!
    botchagalupe
    • Re: OpenDNS--a Good Thing.

      I'll second that...
      gypkap@...
      • On Mozilla, NoScript also.

        OpenDNS will prevent you from pharming but not stop compromised websites from serving junk to you. NoScript extension on Mozilla browsers will prevent the other half of this junk running and possibly installing on your system.
        Even better have a Mac in which most of this junk is written for will not work since they write it for MS Windows world.
        phatkat
    • Open DNS not always the answer...

      http://www.networkworld.com/news/2006/040506-open-dns-servers-cause-concern.html

      Also not the definitive answer to the new DNS poisoning vulnerability:

      http://msmvps.com/blogs/alunj/archive/2008/07/25/1642098.aspx

      The issues have been hashed out on several Tech Republic articles, if anyone is interested enough to check for themselves.
      JCitizen
  • RE: Cybercriminals syndicating Google Trends keywords to serve malware

    I do all my Web surfing as a Windows restricted user, which can't install anything on the system.

    The only disadvantage is that I have to switch to the Administrator account to really install something. But that doesn't happen very often, and is a small price to pay to be safe from this malware.
    Alan Balkany
  • RE: Cybercriminals syndicating Google Trends keywords to serve malware

    all of this malicious software, is NOT microsoft's or google's fault. (How funny, for once, that's something that both companies can agree on)

    Google needs to beef up it's search engine, to prevent Google Trends from indexing malicious websites without first posting a warning.

    Microsoft on the other hand, needs to redesign their captcha system. Use Silverlight, make a unreadable logo. As I last checked, programs cannot read the content of a silverlight or flash application. only that applet it self can.

    Meanwhile, users should beware, if you notice a file download message on ANY browser and you did not click a link to download it, DO NOT DOWNLOAD THE FILE. In 9 out of 10 cases, when that happens the file is malicious.

    By the way, to the people who think Mac's are virus free, A mac will only stay virus free while it isn't pouplar. If the Mac's ever surpass Windows, then all the viruses will be aimed for Mac's and Windows will become the Utopian computer.
    windowsknowitall
  • your best posting so far, Dancho

    This one is clear without being over-stated, and lets
    us know about something very important.

    I appreciate that you stay away from the 'huge
    problems' when Quicktime releases a fix, and so forth
    nonsense as some of your blogging partners use very
    irresponsibly.

    Thank you,
    Narr vi
    Narr vi
  • Patch for java is successful and posted.

    This patch was designed for this; Spaces@MSN access to JRE FCV_FCI. I know it should have been marked J2SE. Search Stalin Hornsby, Stalin_Hornsby. It is the deal with a zipper and buffer and is in component form for upload. It blocked a Rip Curl Trojan that blasted IE7. Recovered IE7 with trend micro and deleted six IE7 patches; good luck.
    KX125! Please.
    rtirman37@...