Search Engine Optimization (SEO) is a term that refers to efforts to increase the rankings of a website so that it appears in the top results when searching for particular key words in a search engine. Black Hat SEO refers to “unscrupulous” SEO techniques often used to promote Rogue/Fake security software and pay-per-click (PPC) advertisement schemes. (See “Poisoned search results” by Sophos for details. See Trend Micro’s posts Making a Million, Part One—Criminal Gangs, the Rogue Traffic Broker, and Stolen Clicks and Making a Million, Part Two—The Scale of the Threat for an understanding of PPI/PPC relationships as well as RogueAV/FAKEAV). Using Black Hat SEO malicious actors are able to have their content displayed in search engines when users search for particular, usually popular, keywords. When users click on these links, they are taken to either PPC websites or RogueAv websites. The malicious actors are paid for this traffic by their PPC and RogueAV affiliates.
Dancho Danchev recently profiled a campaign using compromised .nl and .ch websites to push PPC and RogueAV installations. This post provides some additional details on the campaign.
The actors behind the campaign are using, among other techniques, compromised FTP accounts to upload malicious files to web servers around the world. Compromised FTP credentials are readily available for purchase in the malware ecosystem and are often used to propagate malware. Malicious files are uploaded to compromised websites with snippets of text based on particular search phrases. This files are designed so that when users search for certain key words in search engines, these malicious sites are high ranked in the results. While the search engines see this content, when users click on links they are redirected to the malicious server and on the PPI affiliates or RogueAV landing pages.
The servers used by the malicious actors to receive incomping requests from the compromised web servers are using numerous domain names that resolve to several IP addresses (see malwareurl.com and malwaredomainlist.com). Despite the multiple IP addresses and domain names, they all really point to the same server. Based on “referer” logs generated by the malicious server used in the campaign, I’ve compiled statics on the amount of traffic generated by the campaign to the “/liq/?st=” page between 2010-03-15 and 2010-08-18.
A total of 5,054,990 unique IP addresses generated a total of 9,003,188 page views between 2010-03-15 and 2010-08-18. Most of the traffic (45.99%) originated from the USA. Significant traffic was also generated from the United Kingdom, Canada, Australia and India.
| Country | Pageviews |
| US | 4141181 |
| N/A | 2120320 |
| GB | 584884 |
| CA | 426338 |
| AU | 192713 |
| IN | 145287 |
| NL | 94310 |
| DE | 75934 |
| PH | 72625 |
| FR | 47163 |
The traffic to the malicious server is primarily generated from search engine results. Google.com was the most prominent referrer with 52.18% of all the traffic. While Yahoo! was also a source of a significant amount of referrals, Bing only accounted for 631 referrals.
| Referer | Pageviews |
| www.google.com | 4698249 |
| www.google.co.uk | 610156 |
| search.yahoo.com | 532038 |
| www.google.ca | 479531 |
| www.google.com.au | 241546 |
| www.google.co.in | 174538 |
| www.google.nl | 99944 |
| www.google.com.ph | 92154 |
| search.conduit.com | 87652 |
| N/A | 77259 |
The following table shows the keywords that appeared most frequently in the queries users entered into search engines. The queries ultimate brought the user to the malicious actors’ server and on to their PPC and/or RogueAV affiliates landing pages.
| Keyword | Pageviews |
| free | 621148 |
| printable | 574588 |
| powered | 251541 |
| letter | 193575 |
| phpbb | 171689 |
| template | 168488 |
| kids | 133337 |
| worksheets | 129167 |
| with | 129162 |
| sale | 115484 |
| pictures | 110804 |
| sample | 108331 |
| grade | 105488 |
| coloring | 98791 |
| weather | 85056 |
In total, 81.89% of all the pageviews were from computers running Windows (XP, Vista, 7) with 49.82% from XP systems. Most of these systems were probably redirected to RogueAV landing pages (I have not seen RogueAV targeting any platform other than Windows). Realizing that income can be generated from non-Windows traffic as well, the malicious actors redirected traffic to a PPC affiliate.
| Operating System | Pageviews |
| Windows NT 5.1 | 4485923 |
| Windows NT 6.0 | 1855129 |
| Windows NT 6.1 | 1032128 |
| Linux i686 | 297166 |
| Intel Mac OS X 10_5_8 | 203142 |
| Intel Mac OS X 10.5 | 86777 |
| Intel Mac OS X 10_6_3 | 85120 |
| Intel Mac OS X 10_6_4 | 73613 |
| Intel Mac OS X 10.6 | 68535 |
| CPU iPhone OS 3_1_3 | 50709 |
| Intel Mac OS X 10_4_11 | 50346 |
Microsoft’s Internet Explorer accounted for 58.92% of the total pageviews, followed by Firefox. Mobile phones (iPhone, Blackerry, Android) accounted for 172,674 pageviews.
| Browser | Pageviews |
| IE 8.0 | 2420222 |
| IE 7.0 | 1852866 |
| IE 6.0 | 1026844 |
| Firefox 3.6.3 | 585996 |
| Firefox 3.5.5 | 268225 |
| Chrome 5.0.375 | 222611 |
| Firefox 3.6.8 | 214800 |
| Safari 4.0.5 | 199939 |
| Firefox 3.6.6 | 177534 |
| Chrome 4.1.249 | 169083 |
How does it work?
Malicious files are uploaded to the compromised sites that contain links and text based upon lists of search queries. The snippets of text and links are used to boost the ranking of these sites in search engines. As a result, when users query search engines, the compromised websites appear in the results. When users visit these sites they are redirected to a server under the control of malicious actors.
These pages sometimes redirect users to RogueAV landing pages, and, other times display the content of the SEO pages that are generated to improve the search engine ranking for the malicious actors.
When users click the links in the search results, they are redirected to the malicious actor’s server and on through to wither their PPC affiliate’s or their RogueAV affiliate’s landing pages. In the case of RogueAV, these landing pages display a “scare page” that prompts the user to install the RogueAV software.
http://tasteandflavour.co.uk/081018/?iWeabZ2sRIt redirects to http://ebmipqasrj.ru/liq/?st=tasteandflavour.co.uk which redirects to http://erribhxzerr.co.cc/r/feed.php?k=printable+inurl%3A081018+site%3A.uk which redirects to http://erribhxzerr.co.cc/tube/?k=printable+inurl%3A081018+site%3A.uk which redirects to http://erribhxzerr.co.cc/r/sss.php which then redirects to the RogueAV affiliates http://www4.checkpc98.co.cc/?p=p52dcWpscV%2FRlsijZFahqJ51ll7DZJOejpeblGY%3D which redirects to http://www2.security-soft81.co.cc/?p=[redacted] which redirects to http://www1.cure-my-pc41.co.cc/gmug9_289.php?p=[redacted] to download the executable packupdate9_289.exe.
File name: packupdate9_289.exe
MD5: ec28207e2e63f62e6c6d71cbabeaa151
VT: Result:6/ 40 (15.0%)
The domains of the RogueAV affiliate change frequently. In addition, the RogueAV binaries also change frequently. These changes make it more difficult for security products to protect users. For example, in this case only 6 of 40 AV products on VirusTotal detected the RogueAV binary.
On some occasions, users are redirected to a PPC affiliate. This allows the malicious actors to earn income for the traffic being pushed to the PPC affiliates search engine.
http://jjp.ch/hvuWovM/ redirects to http://ebmipqasrj.ru/liq/?st=jjp.ch
http://ebmipqasrj.ru/liq/?st=jjp.ch redirects to http://errh2hxzerr.co.cc/search/?q=printable+colorful+asl+charts+or+flash+cards&aid=810&said=trend&n=5
http://errh2hxzerr.co.cc/search/?q=printable+colorful+asl+charts+or+flash+cards&aid=810&said=trend&n=5 redirects to http://www.rivasearchpage.com/?q=printable+colorful+asl+charts+or+flash+cards&aid=810&said=trend&n=5
After passing through a variety of redirects through the malicious actor’s server (ebmipqasrj.ru and errh2hxzerr.co.cc) the user ends up at the PPC affiliate page.
Some visitors are directed to download a malware binary posing as Adobe Flash Player.
Adobe__Flash__Player.exe
MD5: 658bb224c030542de22a9997e65f27e5
VT: 14/ 42 (33.3%)
Anubis Report
Traffic from over 5 million IP addresses totaling over 9 million page views in the last five months (2010-03-15 and 2010-08-18) passed through a malicious server and on to either PPC affiliates or RogueAV landing pages. This case is a good example of the profit-driven malware ecosystem. The malicious actors behind the campaign acquired (possibly from a third party) compromised FTP credentials for legitimate websites and used Black Hat SEO techniques to poison search engine results. They then redirected a significant amount of traffic through their own malicious infrastructure through to their PPC and Rogue AV affiliates. The malicious actors behind this campaign did not need a high degree of technical proficiency, the ability to program deceptive viruses and trojans or 0day exploits (or any exploits at all). All they did was leverage resources within the malware ecosystem in order to act as a “traffic broker” and redirect traffic to others within the malware ecosystem in order to generate income.