Osama Bin Laden related searches used to push Malware (Update)

As the world reacts to the death of terrorist Osama bin Laden, criminals are leveraging hijacked domains to poison Web searches related to the event. The poisoned search results are being used to spread Rogue anti-Virus, fake codecs, or leverage system vulnerabilities to deliver other malicious payloads.

Shortly after President Obama gave his address reporting the death of Osama bin Laden to the world, keywords related to the news turned volcanic on Google Trends. Based on our testing, there are scores of malicious sites in the Google index, and keywords related to the military operation that eventually killed the terror king are steadily moving up in rank.

At this time, Google’s new search algorithms are preventing a massive flood of malicious links. However, as was the case with the Royal Wedding, the criminals are moving to target the secondary keywords first. Later, they will use these secondary terms to boost results related to the main search. In this case it’s “Osama Bin Laden Dead”.

The malicious sites that appear the most in the search results are pushing Rogue anti-Virus applications. This junk software will leave a system sluggish, and in some cases completely useless. Variants of this type of fake software will promote it as a system optimization tool, such as a registry cleaner. In either case, the infected system is brought to its knees by a loss of function and a flood of fake warnings.

Other sites listed in the poisoned search results are pushing fake codecs. The two domains we witnessed both had one thing in common, they were promising video of the mission to kill bin Laden. For the record, there are no images or video of the operation itself, sites promoting such content are scams.

Both domains required that a codec be installed before the videos would display properly. The codecs on sites like these are malicious. They’re often used for installing a backdoors that allow additional harmful payloads to be delivered. When it comes to other domains, including ones in the search results flagged as malicious, Google’s data reports them as exploiting software vulnerabilities in order to deliver Malware.

Of the compromised sites we observed during our hunt, the majority of them were WordPress blogs or legit domains that have been hijacked. Once loaded, the hijacked domains use JavaScript to redirect the victim to a final attack point. However, the JavaScript will also redirect some users to harmless domains, such as Google or CNN.

We noticed a few of the final attack domains leveraging *.cc addresses, which are common in Black Hat SEO scams. There were also domains in Russia, Singapore, Korea, China, Brazil, Taiwan, and others acting as final points of attack, or secondary points of attack.

Below are reports from Google on the networks hosting some of the malicious domains we came across while searching.

[AS28299] [AS28870] [AS13238] [AS26496] [AS43426] [AS9919] [AS3462]

These links contain Google reports on the domains we discovered directly, or domains being leveraged in some fashion, by the bin Laden SEO attack.

[xuanya] [melodog] [post-av] [av-post] [healingteddies] [home371] [videodc] [aurasoma] [marchex]

The following is a list of search results being targeted by the SEO attack at the time we tested them, but others are sure to take their place:

Osama Bin Laden Dead
Osama Bin Laden Dead 2011
Osama Bin Laden Dead or Alive
Al Qaeda
Navy Seals
Obama Address

As the story develops, users will flock to the Web to get the latest information on the death of bin Laden. As they search, criminals will do what they can to game the system and target the masses.

The best bet to avoid falling victim to their schemes, is to stick to the main news organizations. Examples of such include the major U.S. networks (ABC, CBS, and NBC), the BBC, Al Jazeera, Fox, and CNN.


As this article was published, Zscaler reported on fake codecs being delivered on sites promising bin Laden death videos. They uploaded a sample of the Malware to VirusTotal to show an example of coverage. Their blog post is here.

Update 2:

Kaspersky is reporting Rogue anti-Virus being delivered via malicious image searches. Their blog post is here.

Update 3:

Another researcher at Kaspersky has discovered Facebook scams related to bin Laden's death. Avoid links that promote the following:

Sweet! FREE Subway To Celebrate Osamas Death - 56 Left HURRY!

2 Southwest Plane Tickets for Free - 56 Left Hurry

More here.


Like this article? Please share on Facebook and give The Tech Herald a Like too!

From our Other Sites

Man Makes Tiny Edible Pancakes with Tiny Kitchen Tools (Video)

This Japanese guy cooks up some pancakes…nothing special there right? Well he uses tiny implements to do it and makes perfect little pancakes. Kinda cool and they look tasty!

What Color is this Dress?

White and Gold or Blue and Black?
Well this one has been trending all over the web, just what color is this dress? It all started in Scotland when the mother of a bride-to-be sent a picture to her daughter asking what she thought of the dress. The bride and groom each saw the image differently, this then got posted online and picked up by some viral sites. The lighting in photo is probably  causing different people to see it as either white and gold or blue and black. Prof Stephen Westland, chair of color science and technology at a University in the UK told the BBC that it was impossible to see what other people see but that it was most […]

McLaren 675LT Pictures

Some great shots of the forthcoming McLaren 675LT. This coupe will get you to 60mph in less than 2.9 second and go all the way to 205mph.

McLaren 675LT Details

McLaren’s 675LT will debut at this year’s Geneva show and promises some eye-popping performance. The coupe only 675LT has a 3.8 liter V8 that will get you from 0-60mph in less than 2.9 seconds and to 124mph in less than 7.9 secondsMore than a third of the parts have been changed compared with its stable mate […]

McLaren 675LT Wallpaper

Some cool McLaren 675LT Wallpaper. The McLaren 675LT is the latest coupe to come from the supercar maker and has a top speed of 205mph.Click on an image to open a page with multiple sizes that you can download to use as wallpaper for your mobile or desktop.More McLaren Wallpaper.

Octopus hunts on land, grabs crab (Video)

This crab is minding its own business searching the rock pools for food when suddenly an octopus leaps out of the water and grabs it. The amazing thing is that the octopus does not just jump on the crab it actually pulls it all the way back to the rock pool it came from. If you check the second video you will see it is not unknown for octopus to come out of the water and the one in the second video has a crab with it, though is not hunting one! Octopus Walks on Land at Fitzgerald Marine Reserve The video was taken by Porsche Indrisie in Yallingup, Western […]

Stunning Mars Rover Selfie

This image by the Curiosity Mars rover is not exactly your typical selfie. It is made up of a bunch of images taken by the rover during January 2015 by the Mars Hand Lens Imager. This (MAHLI) camera is at the end of the robot’s arm. For a sense of scale the rover’s wheels are about 20 inches diameter and 16 inches wide. Check the annotated image below for more information on the surroundings. Also if you really want to see some detail click this very large image, 36mb, at NASA.  

How the Sahara Helps Feed the Amazon (Video)

Sahara to Amazon
This cool video from NASA shows how dust is transferred across the Atlantic to the Amazon rainforest and helps nourish the plants growing there. For the first time scientists have measured the amount of dust and the amount of phosphorus in the dust. The later acts like a fertiliser and helps replenish the phosphorus the rainforest loses each year, around 22,000 tons. Amazing how something we perceive as being desolate like a desert actually has an important role in sustaining somewhere we see as teeming with life. Image and video from NASA’s Goddard Space Flight Center.

Bouncing Laser Guided Bomb (Video)

This amazing video shows a laser guided bomb bouncing back up after hitting its target. We actually think this is a non-explosive bomb designed to test guidance systems but it is still pretty remarkable and somewhat scary.

South Koreans Swallowed by Sinkhole (Video)

Thankfully the couple survived their adventure.
This amazing footage taken from the CCTV on a passing bus shows the moment two pedestrians in South Korea fall down a sinkhole in the street! Rescue workers managed to save the pair, who were treated in a nearby hospital for minor injuries. According to reports the city authorities and the Korean Geotechnical Society are looking into the cause.