14 DAY TRIAL // Researchers from Websense Security Labs, who track all sorts of Internet threats, have issued a warning that malicious websites pushing malware are spammed through Google's sponsored links that are embedded into the search results.
The complex scheme makes use of legit online services and fakes popular websites in order to push malware, which in turn promotes rogue security applications. The Websense analysts uncovered the malicious Google ads while researching another online scam involving malware. “We thought that this scam could present a good case study to show how the reputations of legitimate and popular applications and online services are being abused to serve and help malware authors to spread malicious software,” Elad Sharf writes on the Websense Security Labs blog.
When searching for WinRAR, a popular compression utility, Google displayed a sponsored link promoting a free version of the archiver. The link directed to a page imitating a well known download website, which was hosted on a domain in China. The application offered for download on the page was indeed installing the legit WinRAR, but also had a malicious file attached.
An infected explorer.exe, which is dropped into the system32 folder, makes changes to the hosts file in order to redirect requests to popular websites towards a rogue IP, and also prompts the user with alerts once every minute. Trying to visit any website hijacked through the Windows hosts file redirects them to a fake Microsoft Security Center page that claims that the system is infected.
In addition, the page offers a download link to an alleged Anti-spyware application. The prompts that show up on the desktop every minute have the purpose of convincing the users that they have picked up an infection. The download link takes them to a professionally looking page that offers the fake anti-spyware program for sale.
Social engineering tactics, such as scaring individuals into buying useless software, are becoming a popular method of increasing profits for cyber-crooks. The number of such applications has significantly increased in 2008, and this even prompted Microsoft to react. Recently, the Federal Trade Commission has filed a complaint against several individuals and companies behind a major scareware advertising operation.
“This raises some questions,” Elad Sharf notes. “Is this problem Google's fault for not checking whether advertised links actually serve malware? Is it the miseducated user's fault for getting infected?,” he asks. The search giant responded through a spokesman who announced that the company was actively working to clean its advertising network of such websites, and stressed that it was committed to protecting its users and customers.
Brian Krebs, reporter for the Washington Post, notes on his Security Fix blog that searching for other popular applications such as Firefox revealed more malicious sponsored links. In addition, he makes the observation that he came across two other such links pointing to malware-related websites while searching for WinRAR, which were different from the one encountered by Websense.