Search This Blog

Showing posts with label blackhat seo poisoning. Show all posts

IISerpent Trojan Manipulates Search Engine Optimization


Security researchers recently had to cope with a huge number of malware attacks targeting the Internet Information Services (IIS) component. The IISerpent Trojan is the most recent malware family to be added to the list. 

The malware is installed as a Microsoft IIS add-on. After that, it intercepts HTTP requests and traffic, but there's a catch. This IIS malware works differently than other IIS malware that leverages this opportunity to steal credentials and private data, such as the IISpy Backdoor. It only gets to work if it recognizes requests to specific search engines, rather than ordinary HTTP traffic. Search engines have crawlers that scour the Web for pages to index or re-index on a regular basis. It is possible for pages on the same domain to link to one another. Crawlers utilize specific algorithms to determine a page's search engine ranking. 

Buying adverts or implementing search engine optimization (SEO) strategies are two valid ways to improve page ranking in search engine result pages, however not all digital marketers follow the laws. SEO-boosting practices (which, however, contravene webmaster guidelines) such as loading pages with unrelated keywords or buying backlinks to improve a website's reputation are referred to as unethical SEO (historically known as black hat SEO).

IISerpent is a native IIS module, implemented as a C++ DLL and configured in the %windir%\system32\inetsrv\config\ApplicationHost.config file. IISerpent ensures both persistence and execution because all IIS modules are loaded by the IIS Worker Processes (w3wp.exe) and used to handle inbound HTTP requests.

IISerpent exports a function called RegisterModule, which provides module initialization, just like all native IIS modules. Its event handlers — methods of the module class (inherited from CHttpModule) that are called on certain server events – hide the underlying harmful functionality. IISerpent's code class alters the IIS server's OnBeginRequest and OnSendResponse methods, causing the malware's handlers to be called every time the IIS server begins processing a new inbound HTTP request and transmits the response buffer. 

Because everything appears normal to the webmaster and users - all the 'magic' happens in the background – these assaults are extremely difficult to detect. Of course, a short glance at a backlink analysis or network traffic data will suggest that something is amiss. 

The worst thing about the IISerpent Trojan's attack is that the websites that are attacked could lose their good SEO ranking. This is possible because search engine crawlers will quickly notice the link between the original page and the counterfeit website, which will usually result in SEO penalties.

Searching for Keyword “Windows Android Drivers” leads to Malware website

CyberCriminals often use SEO poisoning techniques to lure unsuspecting internauts to their malicious websites.  In one recent example, Cyber Criminals targeted Android users by poisoning Yahoo! search result.

Security Researchers at GFI Labs have found that searching for "Windows Android Drivers" points to a malicious website [bestdrivers(dash)11(dot)ru] .

Visiting the Russian site in question automatically downloads a file called "install.exe"- a Trojan file.

Once the file is being executed, the malware modifies the home page of Internet Explorer to malicious domain.

In case victim visit the same Russian site from their android devices, the are redirected to various malicious websites which contain the "android" keyword in the domain name. These sites direct users to fake Google play sites.

Few months back, I discovered that Google Image search result being poisoned and directs me to an infected website. 

Now Bing image search results leads to BHEK v2- Blackhat SEO poisoning

I reported a few days ago that Google Image search result leads to BlackHole Exploit kit v2.0 page. Now, Bing Image search results also leads to malicious sites.

A quick image search in Bing for the keyword 'movie outline example' results rogue images that leads to malicious websites. The attackers use BlackHat SEO to poison the search results.

Blackhat SEO, also known as malicious SEO poisoning, occurs when hackers manipulate search engine results to make their links appear higher than legitimate results. As a user searches for related terms, the infected links appear near the top of the search results, generating a greater number of clicks to malicious websites.

According to Sophos report, Bing search results are being poisoned more than other search engines(65%). 

"Digging further into the data, it is also clear that the attackers are getting most success from poisoning image search results." Researcher said.

When i clicked one of the rogue image, i was redirected to a malicious site "zaka.uni.**" that hosts the latest version of BlackHole Exploit kit(v2.0).

'zaka' , the same keyword is used in the malicious domain used in Google Image result attack. It seems like same group is poisoning Bing search result also.