Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    December 2014
    S M T W T F S
    « Nov    
     123456
    78910111213
    14151617181920
    21222324252627
    28293031  
  • Email Subscription

  • About Us

    The Yahoo! open search redirection threat we blogged about just days ago may be from a totally different cybercriminal gang, but this new blackhat SEO poisoning makes clear that online search tools are quickly becoming favorite platforms for online criminals in their operations.

    Search traffic on Google Video were found to be polluted: instead of legitimate videos researchers found some 400,000 queries returning video results that have a single redirection point, and one that eventually leads to malware download and execution.

    Trend Micro detects the malicious executable as WORM_AQPLAY.A. This worm – file name FlashPlayer.v3.181.exe and from that alone one can already guess the social engineering strategy – spreads via removable and network drives when autorun is enabled. It masquerades as an Adobe Flash installer, which users who visit certain spoofed versions of video streaming websites are prompted to download and install.

    What’s more interesting here is how users get to these spoofed websites in the first place. Researchers believe that the gang behind this threat is maintaining a notable number of domains for their malicious operations. These domains have keyword-riddled pages, so they appear on top of search results when users enter certain related strings.

    A user, thinking that top search results are reliable, is then unknowingly trapped into visiting a malicious website. This is typical of most SEO poisoning attacks, but it does not end there. This new threat also comes with a detection-evasion technique: only users who are redirected from Google Video are prompted to download FlashPlayer.v3.181.exe.

    Blackhat SEO threats take advantage of the trust users put on online search tools. Through this method cybercriminals are able to manipulate results such that malicious websites appear first on search lists. Other threats that use this same technique include:

    The Trend Micro Smart Protection Network already prevents WORM_AQPLAY.A from running on systems.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon






     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice