Google Purges Malware Sites Targeting Searchers

Sunbelt Software said many search results on Google led to malicious Web pages that expose visitors to exploits that can compromise vulnerable systems.
In response to a concerted effort by cybercriminals to infect the computers of Google users with malware and make them unwitting partners in crime, Google apparently has purged tens of thousands of malicious Web pages from its index.

In a blog post on Monday, Alex Eckelberry, CEO of Sunbelt Software, noted that many search results on Google led to malicious Web pages that expose visitors to exploits that can compromise vulnerable systems.

"We're seeing a large amount of seeded search results which lead to malware sites," said Eckelberry. "These are using common, innocent terms -- one researcher landed on a malware site through searching for alternate firmware for a router."

Sunbelt published a list of search terms that returned malicious pages, the result of search engine optimization campaigns by cybercriminals to get their pages prominently ranked in Google -- Sunbelt refers to this as "SEO poisoning." The list includes hundreds of search strings containing the words "Microsoft Excel," along with a number of other popular technology oriented terms, products, and companies.

On Tuesday, the SANS Institute said that the number of vulnerabilities in Microsoft Office had grown by 300% from 2006 to 2007, particularly in Excel.

A Microsoft spokesperson wasn't immediately available.

Sunbelt researcher Adam Thomas in a blog post attributes the thousands of pages to a bot net designed "to post spam links and relevant keywords into online forms (typically comment forms and bulletin board forums)," in order to place prominently in Google searches for those terms.

Those duped into visiting malicious Web pages from Google search results could, if their systems are vulnerable, acquire malware known as Scam.Iwin, which is designed to use the victim's computer to defraud Google and its advertisers. "With Scam.Iwin, the victim's computer is used to generate income for the attacker in a pay-per-click affiliate program by transmitting false clicks to the attacker's URLs without the user's knowledge," explained Thomas in a blog post. "The infected Scam.Iwin files are not ordinarily visible to the user. The files are executed and run silently in the background when the user starts the computer and/or connects to the Internet."

Google didn't respond to a request for comment.

But it appears Google has deleted the malicious pages from its index. "Google took action on these domains and you won't find them anymore in Google," said Eckelberry.

According to Trend Micro, cybercriminals have been planning for the holiday online shopping season for months.

"Since September, cybercriminals have been boosting their search engine rankings using a variety of methods such as 'comment spam' and 'blog spam' in preparation for the Christmas period," said Raimund Genes, CTO of Trend Micro, in an e-mailed statement. "With shoppers visiting these sites likely to purchase goods online after infection, their credit card details become a main target for cybercriminals looking for financial gains this season."

Eckelberry credits the cybercriminals responsible with being particularly crafty because they attempt to conceal their malicious Web pages from certain types of searches favored by malware researchers.