An indexing robot is a program which tracks websites, storing their content in databases and following the links which point to other websites.
Rogue antimalware creators don’t usually add tags to the code of their websites or they add them so that the websites are indexed by the robots of the searchers. This way, they are more accessible and malware can be widely spread.
Lately we have found several cases that prove quite the opposite: tags are added to go unnoticed.
Let’s take the following URL as an example:
When clicking the video to view it, we are redirected to the following URL http://<blocked>pomp.com/index.php?q=Adrienne-Bailon-Naked-Pics, which in turn redirect us to http://crack-<blocked>.com (*) and finally to http://fast<blocked>.com/xplays.php?id=40004 from which we will download the file viewtubesoftware.40004.exe, detected as Adware/MSAntiSpyware2009
(*) This URL redirects us to different malware hosting websites randomly, depending on the time.
If we look at the source code of the URL http://fast<blocked>.com/xplays.php?id=40004, we can find the following tag: <META content=noindex,nofollow,noarchive name=robots>
1. The noindex tag doesn’t allow the search engines to index a website.
2. The nofollow tag doesn’t allow the search engines to scan the links of the document.
3. The noarchive tag prevents the website from being cached.
It seems that these techniques are aimed at making malware analysts’ and antivirus companies’ job more difficult. They are also used to prevent the proactivity, in the sense of preventing the infection with techniques such as URL blocking, which consists in making queries of specific parameters in the search engines.