"If he has a conscience he will suffer for his mistake. That will be his punishment--as well as the prison"

Fiódor Mijáilovich Dostoyevski (1821-1881),Russian writer
(February 9, 1881, Fiódor Dostoyevski died)

Search engines and malware

Cyber-crooks have fixed their sights on web pages. There is a steady increase in the use of custom-built websites designed to drop malicious code on computers or even the manipulation of legitimate pages in order to infect users with malware.

The real advantage that these methods have for criminals is that they are practically silent. When malicious code is sent as an attachment to an email, or when a link pointing to a malware download is included in a message, this at least requires the user to take some action (clicking a link, downloading and running a file, etc.). And don't forget, this is unsolicited mail. However, if a user decides to visit a web page which is apparently legitimate, why should she suspect that it is infected?

"Nevertheless, this system has a problem: criminals still have to get users to visit these web pages in order to infect them", says Luis Corrons, technical director of PandaLabs.

One traditional method is to use spam with enticing messages (movie trailer downloads, erotic photos, interesting news stories) to encourage users to follow a link pointing to the malicious web page.

"This, however, implies an intermediary step: the sending of junk email. This increases the cost of infecting users, and could also arouse suspicion among potential victims", explains Corrons.

This is why cyber-crooks have begun to opt for a new technique: the manipulation of search engine results or locating websites among the top results returned by these engines. By this they manage to get a user interested in the subject matter (for example, cheap flights) of an apparently legitimate website and infect the victim's computer.

So how do they do this? There are several techniques. One way is to manipulate existing, legitimate websites that are already highly-ranked among search engines. They can exploit a vulnerability on the server hosting the web page to insert an iFrame. This iFrame activates the download of malicious code onto the computer by exploiting existing vulnerabilities.

A second method is to create a web page from scratch and insert several iFrames that lead to the downloading of malware. The web page appears to be legitimate. In the example mentioned earlier, the web page would appear to be a typical page offering cheap flights. The problem, however, is once again how to get users to visit the page. One option is to pay for sponsored results in search engines (this was the case with the adware LinkOptimizer).

"Cyber-crooks are also taking advantage of botnets (either their own or hired) to increase the ranking of their web pages in search engines. This involves commanding millions of remotely controlled computers to visit the malicious web page, so that search engines register the page as one of the most frequently visited", explains Corrons.

When a user runs a search for, say, cheap flights, the malicious web page will appear as one of the most popular sites. Users that visit this page will become infected, yet will have no reason to suspect that they have done anything likely to cause infection.