Monday, April 30, 2007

Malicious Keywords Advertising

Blackhat SEO's been actively abused by spammers, phishers and malware authors, each of them contributing to the efficiency of the underground ecosystem. Comments spam, splogs, coming up with ways to get a backlink from a .EDU domain, the arsenal of tools to abuse traffic acquisition techniques has a new addition - paid keyword advertising directly leading to sites hosting exploit code :

"Those keywords put the criminals' sponsored links at the top of the page when searches were run for brand name sites like the Better Business Bureau or Cars.com, using phrases such as "betterbusinessbureau" or "modern cars airbags required." But when users clicked on the ad link, they were momentarily diverted to smarttrack.org, a malicious site that used an exploit against the Microsoft Data Access Components (MDAC) function in Windows to plant a back door and a "post-logger" on the PC."

Here's another interesting subdomain that was using JPG images to "break the .exe extension ice" and redirect to anything malicious - pagead2.googlesyndication.com.mmhk.cn

What's the most cost-effective approach, yet the most effective one as well when it comes to that sort of scheme? On a quarterly basis, a "for-the-masses" zero day vulnerability becomes reality. The fastest exploitation of the "window of opportunity" until a patch is released and applied, is abused by embedding the exploit into high traffic web sites, or even more interesting, exploiting a vulnerability in a major Web 2.0 portal to further spread the first zero day. Therefore, access to top web properties is a neccessity, and much more cost effective compared to using AdSense. I wouldn't get surprised to find out that hiring a SEO expert to reposition the malicious sites is also happening at the time of blogging. Some details at McAfee's blog.

Despite the amateurs using purchased keywords as an infection vector, at another malicious url _s.gcuj.com we have a decent example of a timely exploitaition with _s.gcuj.com/t.js and _s.gcuj.com/1.htm using Microsoft's ANI cursor vulnerability to install online games related trojans - _t.gcuj.com/0.exe_ The series of malicious URLs are mostly advertised or directly injected into Chinese web forums, guestbooks etc. Here are some that are still active, the majority of AVs thankfully detect them already :

_cool.47555.com/xxxx.exe_
_d.77276.com/0.exe_
_www.puma163.com/pu/pu.exe_
_rzguanhai.com/server.exe_

The key point when it comes to such attackers shouldn't be the focus on current, but rather on emerging trends, and they have to do with anything, but malicious parties continuing to use AdSense to direct traffic to their sites in the long term. Watch a video related to the attacks, courtesy of Exploit Prevention Labs.

No comments:

Post a Comment