The Barracuda Labs Internet Security Blog

It’s been widely reported that Google sponsored links are being used for malicious purposes. Once again, Google is an easy target and consumers are vulnerable. Rogue AV continues to be a big business, and the criminals are taking advantage of the more popular (and trafficked) areas to spread their wares.

Today, December 15, 2009, is the 150th birthday of LL Zamenhof, the inventor of Esperanto (an international auxiliary language).

Google celebrated by decorating its logo with the flag of Esperanto, turning it into what is called a Google Doodle (Google often uses its logo to celebrate various historical events etc http://www.google.com/logos/).

Clicking on the Google Doodle performs a search for the term “LL Zamenhof” – making it remain steady in the top 5-10 most popular searches of the day. Malware distributors have recognized this significant opportunity to concentrate their poisoning efforts on popular search terms. This is just another egregious act of criminals using these Google popular search terms – and SEO poisoning – as vehicles to carry out their malicious intent.

On page one of the search results, one of the examples falls under the domain rubbermouse.com —- The poisoned results point to legitimate domains that have been compromised. This leverages the site’s already good Google reputation so that the results do not appear with a Google safesearch alert. This is becoming increasingly more common for almost any popular search term.

Once the user clicks on the link, he/she is then re-directed to a Rogue AV site (hxxp://antyspywaretoday.net….). On this page, the user is given a warning that the computer might be infected, a fake scan ensues, then the user is prompted to purchase the AV software — regardless if the user clicks on the “OK” or not.

How prevalent is this? First 100 results, there are 31 poisoned sites. Even better, first 50 results, there are 27 poisoned sites. These criminals get search engine optimization – and are good at it!

The sites are hard to identify – and hard to remove – since they are designed to re-direct to multiple sites (some with malicious intent such as selling Rogue AV, and some offering up nothing more than a waste of time via a fake search site). Regardless, these rogue orphan pages exist and are under the control of those who can, with the push of a button, offer up dangerous exploits to attack users, steal information, and damage corporate networks.

What’s most concerning about this – Google is posting its Doodle, inviting users to click (out of their own curiosity, they will), and then serving up more than half of the results as malicious. What does that say about the current state of search and SEO?

Below are several screenshots taken from this experiment.

GoogleDoodle1 – Google Doodle from today 12/15/09.

GoogleDoodle2 – First results: at first, these look good. Upon further review, the entry with the link sio.ucsd.edu/cop15/newsroom/?byza=6 shows that it’s gibberish… The site is most likely compromised, but it’s down as of this writing.

GoogleDoodle3 – Most of the results in this image are poisoned and clicking on the rubbermouse.com link provides GoogleDoodle4 (see below).

GoogleDoodle4 – Once clicking on rubbermouse, the user is then redirected to the fake antivirus site regardless of which button is pressed.

GoogleDoodle5 – This additional prompt attempts to reassure the user about downloading the payload. Until the payload is downloaded, the user is not really infected.

GoodleDoodle6 – This Web page is carefully crafted to mimic the Windows look and feel, but it’s still a Web page. A javascript animation makes it look like the user’s computer is being scanned and threats are being found. Nothing of the sort is taking place.

GoogleDoodle7 – Once it’s done “scanning” the user is then served this page — and there are no mouse options at this point.

GoogleDoodle8 – This is an attempted delivery of the payload. Until the user clicks “run” on one of these dialogs, he/she is not infected. If the user does click, the program will install (in this case, Internet Antivirus Pro) but does nothing real other than nag the user for money so that it can be ‘activated’ for use. These fake antivirus programs (Rogue AV) purport to find many threats, but in fact do not find or fix anything at all.

GoogleDoodle9 – This image shows the Internet traffic generated by this click. From the compromised site rubbermouse.com, it goes to a free Webhost in Poland which redirects the browser to an intermediary, godotscan.com. This site then redirects the browser to the final malicious site, docipge.cn. This site will most likely be active for only a few days before it’s replaced by a new landing site.