Trend Micro threat analysts from EMEA have found a blackhat search engine optimization (SEO) attack that uses strings with the phrase “free printable” to hijack search traffic by directing it to a rogue search engine.

Our researchers found that search engine queries using the string “free printable” yield results that include compromised websites (see Figure 1). The said compromised sites are rigged with malicious JavaScript malware detected as JS_REDIRECT.SMF and JS_REDIRCT.MAC. JS_REDIRECT.SMF and JS_REDIRCT.MAC trigger a set of redirections whenever users visit compromised sites. The redirections ultimately lead to a rogue search engine, which by default puts the original search string into its own search text box.

As of now, the cybercriminals’ goal in all these seems to be hijacking search traffic from search engines and redirecting them to their own ones to earn money. If it stays as such is not yet known but users need to be wary since it would be very easy for cybercriminals to change the final landing site of the redirections to a malware-hosting site.

A diagram illustrating how hijacking searches work is shown below.

It is very possible that this blackhat SEO attack takes advantage of the fact that the interest in free printable items is relatively high, especially in South Africa and in the United States.

We are strongly advising users not to use search strings that include the words “free printable,” as the results may lead to malicious websites.

We are currently monitoring this attack and will update this entry for developments.

Update  as of January 27, 2010, 5:30 p.m. (GMT +8:00):

Below are screenshots of a page (and its source code) found inside a hijacked website that comes up when using the search string “free printable (some item).”

The compromised sites were made to host these pages ridden with keywords in an attempt to lead users to eventually execute the malicious JavaScript malware.

The recent attacks on Google and other large organizations (currently being referred to by others as “Aurora,” “Google attacks,” or “HYDRAQ”) refer to a set of carefully orchestrated, sophisticated, and highly complex attacks. They comprised malicious threats to all three communication vectors—email, Web, and files, plus, most notably, a zero-day vulnerability in Internet Explorer (IE). In order to stay protected, businesses and end users need to deploy proactive vulnerability protection plus cloud-based threat mitigation solutions to stay one step ahead of the threat.

We want to let our readers know that Trend Micro can help users proactively block this malicious attack and others like it—with or without the out-of-band patch released by Microsoft yesterday. In addition to business solutions like Intrusion Defense Firewall (IDF)—an OfficeScan™ plug-in—and Trend Micro Deep Security, we also offer a free tool—Trend Micro Browser Guard—that proactively protects home users by preventing exploits. Trend Micro Browser Guard protects by detecting buffer overflow and heap spray attempts as well as shellcode, thereby protecting users ahead of the threat.

To download Trend Micro Browser Guard, please click here.

In addition to these proactive solutions, Trend Micro also recommends that companies and home users ensure that their security software is up-to-date—preferably that users utilize Web reputation capabilities to block access to sites that host malicious code like those used in the Google attack.

In the recent attacks, targeted spammed messages loaded with malware were also sent to users. Users with vulnerable IE browsers may unwittingly access malicious sites containing hidden JavaScript malware that takes advantage of a zero-day vulnerability. Microsoft initially advised users to enable the use of “Data Execution Prevention (DEP)” but cybercriminals attempted to counter this by introducing a new exploit code that bypasses this. Microsoft was thus forced to release a patch outside of its regular Patch Tuesday cycle.

While the initial attacks targeted specific companies, the threat has since evolved and is now fully in the wild, leaving all Internet users potentially at risk.

After the earthquake that hit Haiti last January 12, the Internet was flooded with requests for financial donations from all sorts of companies and organizations. It should be noted that not all of these were true to their stated intentions.

Martin Roesler, Trend Micro Director of Threat Research, warns Internet users to be very careful when clicking links regarding the latest earthquakes in Haiti. “We have already seen fake donation sites, spam, and FAKEAV-related search engine optimization (SEO) poisoning attacks using this event as a social engineering tactic and their number is still increasing. Users who really want to make a donation should ensure that they do so only on trusted sites, that all the security features of their Web browsers are enabled, and that they manually double-check the URLs they are connecting to. Do not trust email messages offering ‘one-click-donation’ or similar services.”

The spammed message above poses as a call for relief goods and donations supposedly from the UNICEF International Response Fund. It even described the supposed efforts the agency is currently engaging in to assist victims of the recent Haiti earthquake. Unfortunately, however, the link to the supposed donation site was found to lead to a phishing page instead.

Users searching for information about the event are also at risk of landing on malicious sites due to SEO poisoning. Clicking poisoned links lead to the installation of TROJ_FAKEAV.ZXS, a FAKEAV variant.

Using tragedies as a social engineering tactic is no longer new to cybercriminals. Natural calamities, celebrity deaths, viral videos, and other controversial stories—just about anything that can create a huge ruckus on the Web—are just some of their staple scam triggers. As such, both the Federal Bureau of Investigation (FBI) and CNET have released articles to make would-be donors aware of these and thereby protect themselves.

Trend Mico™ Smart Protection Network™ protects users from threats like these in real time by preventing spammed messages from reaching their inboxes, blocking access to identified malicious sites and domains, and detecting and preventing the download of malicious files.

Trend Micro has identified new malware samples that exploit the still-unpatched Internet Explorer (IE) vulnerability. These samples have been detected as JS_ELECOM.C and HTML_COMLE.CXC. After exploiting the said bug, they attempt to connect to a certain URL to download a file.

Further analysis by TrendLabs threat experts found that the new scripts are versions of JS_DLOADER.FIS (the only difference being the encryption techniques used), which was widely used in the recent attacks targeting major organizations like Google and Adobe. However, instead of merely targeting such organizations, they are now fully in the wild and hitting ordinary users.

In line with this, Microsoft announced that it will release an out-of-band security update to fix the issue. It is highly advised that users immediately download the security patch once released.

Trend Micro™ Smart Protection Network™ protects users from this type of attack by preventing the download of all the detected malicious files and by blocking user access to malicious sites.

Trend Micro OfficeScan™ users with Intrusion Defense Firewall (IDF) plug-in are also protected from this attack if their systems are updated with IDF1003879 and IDF1003909 filters.

Update as of January 21, 2010, 11:00 a.m. (GMT +8:00):

The official Microsoft security bulletin and patch has been released. Users are strongly advised to apply this patch—either manually or automatically—to protect themselves against this threat.

Update as of January 21, 2010, 9:58 p.m. (GMT +8:00):

HTML_COMLE.CXC and another new exploit code downloading other component files before downloading HYDRAQ variants are now detected as JS_ELECOM.SMA. JS_ELECOM.SMA calls JS_ELECOM.SMB, its component file, which contains obfuscated data variables necessary for JS_ELECOM.SMA’s proper execution.

The number of systems infected by various SASFIS Trojan variants has been increasing since the end of 2009, affecting networks across the globe. SASFIS variants have recently been spotted in relation to spoofed messages supposedly from Facebook.

SASFIS infections usually result in tons of other malware infections, as this particular family makes systems susceptible to botnet attacks, particularly from Zeus and BREDOLAB, and is affiliated with various FAKEAV variants, usually those associated with pornographic sites.

In the course of conducting research on SASFIS-related activities in the past few months, I have come across around the following infection numbers:

SASFIS variants may usually be downloaded while visiting sites that have been compromised using the Eleonore Exploits Pack as a file named load.exe. Upon execution, these create temporary files and modify registry entries. They then attempt to send a GET request to a remote site to download another file usually named max.exe, which will again download another file named max_b.exe, a FAKEAV variant.

SASFIS may be a simple Trojan downloader that downloads one or more files from a single domain via a GET request onto affected systems but like other malware, the download of several other binaries onto systems is no longer a simple matter.

SASFIS uses two primary business models. SASFIS uses the pay-per-install (PPI) business model, which has been discussed in more detail in “SDBOT IRC Botnet Continues to Make Waves.” In this model, the cybercriminals behind other malware families (e.g., ZBOT, KOOBFACE, etc.) pay those behind SASFIS to install their own creations onto SASFIS-affected systems for a fee.

The cybercriminals behind SASFIS also utilize the pay-per-access (PPA) business model wherein they hardcode a list of adult websites in some of the components their malicious creations download to redirect users to the said sites though their reason for doing so remains vague. They probably just do this to either annoy the users or to distract them to conceal the infection.

Though SASFIS has not been as notorious as other malware families, it still remains a threat. Users are advised to be wary of the sites they visit to avoid infection.

Trend Micro™ Smart Protection Network™ protects users from all kinds of SASFIS-related threats.