By poisoning search results with pages serving malware

Feb 26, 2009 10:50 GMT  ·  By

Security researchers from antivirus vendor Trend Micro maintain that during the few hours of Gmail downtime, cyber-crooks have moved fast to instrument a malware distribution attack, which employs black-hat SEO and social engineering techniques.

The fact that cyber-criminals capitalize on important events in order to get the most out of their schemes and malicious campaigns is nothing new. However, in the online world, the definition of "important events" exceeds the scope of holidays and significant developments that affect our lives, such as armed conflicts or natural disasters.

In these days of social networking climax, problems or changes that affect popular services, which bring together millions of users, are just as important. Such has been the case with the recent outage suffered by Google's e-mail service, Gmail.

Naturally, a large number of users were curious to find out why they could not access their accounts, and therefore many of them resorted to searching on Google, but as Trend Micro researcher Loucif Kharouni has discovered, the cyber-crooks were fast to react.

"During the downtime, searches for the string 'gmail down' yielded a Google Group page also named 'Gmail down' as the top result," JM Hipolito, responsible with technical communications at Trend, explains.

Amongst various adult materials, this page promoted three external links. The first one, entitled "Really young good looking teenager," pointed to a computer trojan identified by Trend as TROJ_PROXY.AEI. Its playload involves poisoning the search result pages from Google on the victim computer by forcing the browser to connect though a proxy server under the attackers' control.

Visiting the second link prompts the download of yet another computer trojan installer identified as TROJ_AGENT.FAKZ. This malicious application is served as a Browser Helper Object (BHO) and, when executed, opens a website inside an Internet Explorer window. The site masquerades as an embedded video file, which when clicked triggers the download of a rogue security software detected as TROJ_FAKEAV.ANI.

The third link leads to a file called "The Dark Knight torrent.zip." When unpacked, it contains a .BAT file (BAT_DELWIN.AA) with a destructive playload. More specifically, when executed, the .BAT script deletes several critical system files such as autoexec.bat, boot.ini, ntldr and win.ini. It then proceeds to display two alerts that read "Virus Activated" and "Computer Over. Virus=Very Yes," respectively. They are followed by a system shutdown and the computer is left unbootable.

According to the Trend Micro analysts, the said Google group has only been online for approximately 25 minutes, so hopefully it has not affected too many users. However, as Mr. Hipolito notes, "This incident serves proof of how keen cybercriminals’ instincts can get in seeing opportunities to distribute their malicious files."