"It takes you to one of these cheesy search pages," says Patrick Hinojosa, CTO of Panda Software. "Someone's [trying] to siphon traffic." The motivation, of course, is money.
PremiumSearch installs a malicious BHO (Browser Helper Object) on the victim's computer. It also installs a fake "Google" toolbar and sets the victim's browser home page to the PremiumSearch search engine, regardless of the setting displayed in the browser. Finally, it conducts what amounts to local DNS poisoning—it rewrites the HOSTS file on the victim's computer. This maps domain names that include Google.com, MSN.com, and Yahoo.com to an IP address hosting spoofed versions of those search engines.
The infection originates from visiting a particular Web page after being redirected from other pages that contain pirated software or porn. The page installs the following malware: PremiumSearch, WorldAntiSpy (adware that poses as spyware-detection software and offers to remove found threats for a fee), and Smitfraud (adware that displays popup ads).
Hinojosa says ISPs hosting versions of this Web page have been notified. That won't necessarily result in anything more than the removal of the malicious pages, because they're most likely hosted on a compromised or zombie PC. "It's a zombie, because [the malware distributors] never want it traced back to them," Hinojosa explains.
"These actions are financially motivated and aim to exploit the popularity of these search engines to increase visits to the pages with the altered results," PandaLabs director Luis Corrons says in a statement. "To avoid this kind of attack, it is vital that users have reliable antivirus protection and keep their systems up-to-date, as the vulnerabilities used have often been in existence for some time."