Thieves have a new technique for infecting their victims, warned Sean-Paul Correll, threat researcher and security evangelist for Panda
Labs. He said that they build custom search engines that present valid links but which use a redirection script to send all clicks to malware downloads.
“The link would be in the form ‘malicious-search-engine.com/redir/’ and then an ID number. The link would go to a theoretically valid site but in fact it redirects to wherever they want it to go,” he explained.
Often, these search engines install rogue antivirus software, also known as “scareware,” on victims’ machines.
This type of malware infects PCs and then asks for a credit card fee, perhaps $79, to cure the infection. “But of course that’s fake,” said Correll. “Once you pay, they take your personal data and sell it.”
Thieves must be making money from scareware because there’s more of it now than ever before. Correll said that his lab has seen more new binaries (individual pieces of scareware) in the first quarter of 2009 than it recorded in all of 2008.
In order to get the profitable malware on victims’ machines, criminals have in the past created Web sites that appeared to have useful information but which would contain dangerous links.
Using sophisticated search engine optimization (SEO) practices, the criminals would position those dangerous links in the search results of legitimate Web sites, especially Google. “On Google, maybe only the sixth search result would be malicious and the rest would be relevant,” said Correll.
On malware search engines, every link is dangerous.
Recently, they have targeted victims searching for information about swine flu, warned Panda Labs security researcher Ocsar Cavada in a blog post.
But the problem is ongoing and next month’s bait may be completely different. Last month, it was car companies — first Ford, then Nissan — said Correll in a blog post.
Being part of the solution
Correll said that these fake search engines get significant traffic — he claimed that one had 250,000 visitors per month according to data from Alexa, an Internet information company.
He said that search engines will find and crawl malicious Web sites, at least until they find anything that’s malicious.
He added that when Panda Labs discovers malicious search engines, it notifies registrars, Web hosts, and search engines.
Correll said that as malware mutates faster than ever before, security companies will respond with cloud computing technology that allows them to update their security software to keep up with the villains.
Panda has released its own cloud-based antivirus software that is free and currently in beta. Correll said that it uses an automated signature generator that allows the company to release a new signature in only six minutes.
That’s impressive, but it’s not the only one. McAfee’s goal for releasing new signatures to its cloud service is one minute.
