Breakdown: Criminals use midterm elections to spread Malwareby Steve Ragan - Nov 2 2010, 23:20
Criminals are using the election season to spread Rogue anti-Virus software and other related Malware. Here is a breakdown on the latest search engine attacks, including what to look for and, if you’re a webmaster, how to determine if you’ve fallen victim.
The Tech Herald has covered BlackHat SEO attacks in the past, and if you’ve followed along you know that criminals love to spike search results in order to spread Rogue anti-Virus applications and other Malware. The good news is that most of the poisoned search results are being flagged by Google, the down side is that newer domains are taking their place.
Security vendor Websense posted a warning that criminals were using search terms related to the elections this year to spread Rogue anti-Virus software. After reading its blog post on the topic, we did some digging and discovered dozens of sites poisoning hundreds of search terms related to the midterm elections, political figures and topics, as well as current events and trending topics from the past week.
The attack on the end user starts with a Web search. Google is the popular vector, but Yahoo and Bing are also avenues of attack. Searching for midterm election results, on a local or national scale, will return plenty of coverage--especially given the amount of heated debate on both sides.
The catch is, keywords like “election results 2010”, “midterm election results”, “election polls”, “midterm election polls 2010”, and related terms including “AARP”, “Virginia Governor”, “New Jersey Governor”, “Gallop”, “electoral coverage”, “Senate races” and “political figures”, are commonly used by the public, so they’re easily targeted and exploited by criminals.
Some malicious links using those keywords attack instantly, while others have links to malicious domains embedded in comments or posted articles. Either way, the criminals are using many of the same scripts we’ve seen in the past to pull off an attack. The scripts will strip the search terms and create a dynamic listing by scraping content from other domains and related search results.
What this does is create a search result that, when viewed in a search engine, appears to have everything a person is searching for, thus enticing them to click the link. The poisoned results are pushed higher in the rankings by maintaining keyword relevance, as well as link popularity by joining several compromised domains together.
Once a malicious link is clicked, the attack will forward the victim to another domain, where the Rogue anti-Virus software is delivered. In the case of Malware in general, some of the domains are using embedded code on the hijacked site to exploit client-side software, which allows them to deliver the malicious payload without the victim being aware. If not, then they forward the user off to a malicious domain to perform the attack.
Other topics that are leading to poisoned search results include “cannabis”, “Emma Watson”, “2009 election results”, popular TV show “Glee”, “job loss and creation”, “presidential approval ratings”, and “absentee balloting”.
Here are some tricks to determine if you are an unwitting victim to the BlackHat SEO schemes.
While digging into the BlackHat SEO attacks, we noticed many of the same patterns as before. Most of the malicious links use random PHP scripts to operate, and they are easy to spot based on the naming convention used.
If you search for your domain using the “site:” operator and trending keywords, you’ll notice them in the results. Make note that these files and the names are dynamic and generated on the fly in most cases, so they may not appear in a check of the Web server itself.
In some of the more recent BlackHat SEO attacks, we noticed that installations of WordPress, the popular blogging software, were compromised in order to propagate the attacks. The rogue files are added to the WordPress core installation, under the “/pomo/” directory.
As you see in the image above, the red section shows a malicious site with the randomly named PHP file linking to a compromised WordPress installation. The attacks on the WordPress installations seem to date as far back as March, but most of the malicious links were indexed as recently as October 31. While possible that the compromise is due to a flaw in WordPress, there is no solid evidence.
The images above show a malicious search result using a PHP file that is not part of a typical WordPress installation. The “so.php” file, as well as the “logs” file that accompanies it, were added to the “/pomo/” directory after the site was compromised. Looking at some of the installations, it would appear the “/pomo/” directory is present in WordPress installations 2.8.x up to 3.0.1.
As a webmaster you can check for the presence of these files. If found, remove them and secure the file structure of the server. As mentioned, there is no proof that a vulnerability in WordPress is the cause of these hijackings. However, WordPress has been vulnerable in the past, along with scores of the add-ons, or “plugins”, available for the blogging software. The best bet is to make sure that WordPress installations, as well as any installed add-ons, are kept current.
This is in addition to practices used to harden a server from attack, due to the fact that any given vulnerability that would allow unrestricted access to the server can be used to compromise hosted sites and use them for BlackHat SEO campaigns.
If you are interested in the elections, or the latest current events, the safest way to learn more about them is to stick to legitimate news sources and/or trusted blogs. You can find these via Google News or Yahoo News, as well as places like Digg and Reddit.
Webmasters should always make sure that they're using the latest build of a given software package. In the case of WordPress, they spend a good deal of time researching the code and are often quick to patch security problems. The newest versions will prompt you when new releases are available in the admin area, so you should check there frequently and update as needed. The same goes for any add-on modules that are used to enhance WordPress installations.