Security researchers from anti-virus vendor Trend Micro are warning about the fairly new trend of poisoning Google video search results. An estimated 400,000 search queries have returned rogue results pointing to malware.

Cyber criminals have been using blackhat search engine optimization (SEO) techniques to poison search results with their malicious web resources for quite a while now. However, this trend has recently intensified, and more legit web services have been abused to distribute malware, capitalizing on the fact that users tend to trust their content.

This is also the case with the Google video search engine, which indexes millions of videos from all across the web. “This new blackhat SEO poisoning makes clear that online search tools are quickly becoming favorite platforms for online criminals in their operations,” Jake Soriano, one of the people responsible with technical communications at Trend Micro, notes.

The company's analysts have came across hundreds of thousands of poisoned results, which point to fake copies of legit video sharing services such as YouTube. The malicious pages are distributing a worm detected by Trend as WORM_AQPLAY.A in the form of a Flash player installer called FlashPlayer.v3.181.exe, which is allegedly required in order to watch the embedded videos.

After installation, the worm proceeds to spreading itself to other computers via removable media devices such as USB memory sticks, where it drops rogue autorun.inf files. This is another propagation technique, which has started making a comeback, probably being fueled by the success of the infamous Conficker worm.

The malware analysts explain that, in order to pump their pages to the top of the search results, the attackers are constantly maintaining a list of domain names and employ other blackhat SEO techniques, which abuse the use of search keywords and expressions. However, the most interesting aspect of this attack is that the rogue pages only serve malware to visitors redirected from Google Video, in an effort to avoid detection.

“Blackhat SEO threats take advantage of the trust users put on online search tools. Through this method cybercriminals are able to manipulate results such that malicious websites appear first on search lists,” Mr. Soriano concludes, advising users to exercise extra caution when visiting any search results.

In addition, because it is constantly being abused, many security researchers consider the Windows AutoRun feature a security risk, and advise users to disable it if it's not particularly needed on a system. Microsoft has published updated information on how to disable this feature in its KB953252 document.