Osama Bin Laden related searches used to push Malware (Update)

As the world reacts to the death of terrorist Osama bin Laden, criminals are leveraging hijacked domains to poison Web searches related to the event. The poisoned search results are being used to spread Rogue anti-Virus, fake codecs, or leverage system vulnerabilities to deliver other malicious payloads.

Shortly after President Obama gave his address reporting the death of Osama bin Laden to the world, keywords related to the news turned volcanic on Google Trends. Based on our testing, there are scores of malicious sites in the Google index, and keywords related to the military operation that eventually killed the terror king are steadily moving up in rank.

At this time, Google’s new search algorithms are preventing a massive flood of malicious links. However, as was the case with the Royal Wedding, the criminals are moving to target the secondary keywords first. Later, they will use these secondary terms to boost results related to the main search. In this case it’s “Osama Bin Laden Dead”.

The malicious sites that appear the most in the search results are pushing Rogue anti-Virus applications. This junk software will leave a system sluggish, and in some cases completely useless. Variants of this type of fake software will promote it as a system optimization tool, such as a registry cleaner. In either case, the infected system is brought to its knees by a loss of function and a flood of fake warnings.

Other sites listed in the poisoned search results are pushing fake codecs. The two domains we witnessed both had one thing in common, they were promising video of the mission to kill bin Laden. For the record, there are no images or video of the operation itself, sites promoting such content are scams.

Both domains required that a codec be installed before the videos would display properly. The codecs on sites like these are malicious. They’re often used for installing a backdoors that allow additional harmful payloads to be delivered. When it comes to other domains, including ones in the search results flagged as malicious, Google’s data reports them as exploiting software vulnerabilities in order to deliver Malware.

Of the compromised sites we observed during our hunt, the majority of them were WordPress blogs or legit domains that have been hijacked. Once loaded, the hijacked domains use JavaScript to redirect the victim to a final attack point. However, the JavaScript will also redirect some users to harmless domains, such as Google or CNN.

We noticed a few of the final attack domains leveraging *.cc addresses, which are common in Black Hat SEO scams. There were also domains in Russia, Singapore, Korea, China, Brazil, Taiwan, and others acting as final points of attack, or secondary points of attack.

Below are reports from Google on the networks hosting some of the malicious domains we came across while searching.

[AS28299] [AS28870] [AS13238] [AS26496] [AS43426] [AS9919] [AS3462]

These links contain Google reports on the domains we discovered directly, or domains being leveraged in some fashion, by the bin Laden SEO attack.

[xuanya] [melodog] [post-av] [av-post] [healingteddies] [home371] [videodc] [aurasoma] [marchex]

The following is a list of search results being targeted by the SEO attack at the time we tested them, but others are sure to take their place:

Osama Bin Laden Dead
Osama Bin Laden Dead 2011
Osama Bin Laden Dead or Alive
Al Qaeda
Navy Seals
Obama Address

As the story develops, users will flock to the Web to get the latest information on the death of bin Laden. As they search, criminals will do what they can to game the system and target the masses.

The best bet to avoid falling victim to their schemes, is to stick to the main news organizations. Examples of such include the major U.S. networks (ABC, CBS, and NBC), the BBC, Al Jazeera, Fox, and CNN.


As this article was published, Zscaler reported on fake codecs being delivered on sites promising bin Laden death videos. They uploaded a sample of the Malware to VirusTotal to show an example of coverage. Their blog post is here.

Update 2:

Kaspersky is reporting Rogue anti-Virus being delivered via malicious image searches. Their blog post is here.

Update 3:

Another researcher at Kaspersky has discovered Facebook scams related to bin Laden's death. Avoid links that promote the following:

Sweet! FREE Subway To Celebrate Osamas Death - 56 Left HURRY!

2 Southwest Plane Tickets for Free - 56 Left Hurry

More here.


Like this article? Please share on Facebook and give The Tech Herald a Like too!