Malicious Ads on Bing Lead to ZeroAccess Trojan

Search-engine poisoning has been the bane of many Internet users’ existence for a long time, and it’s one of many security problems that seems to not be getting any better. In some ways, it may be getting worse, actually. One of the main problems these days is the use of legitimate-looking ads that direct users to malicious sites rather than sites to download applications such as Flash or Firefox.

Malicious adsSearch-engine poisoning has been the bane of many Internet users’ existence for a long time, and it’s one of many security problems that seems to not be getting any better. In some ways, it may be getting worse, actually. One of the main problems these days is the use of legitimate-looking ads that direct users to malicious sites rather than sites to download applications such as Flash or Firefox.

Researchers have been tracking various SEO-poisoning campaigns for some time now, and the attackers often will pin their campaigns to recent news events and popular search terms. In other cases, they simply go after popular downloads, and that’s what’s happening in a recent case that researchers at GFI Software discovered this week. In this case, a search on Bing for Adobe Flash turned up an ad pointing users to a site where they can supposedly download Flash 10.

Of course, what those users get isn’t Flash, but a kick in the digital teeth in the form of the ZeroAccess Trojan. This piece of malware, also known as Max++ and Sirefef, is a particularly ugly pest and includes some rootkit functionality that gives it the ability to stay resident on an infected machine even after cleanup attempts and reboots. ZeroAccess also is being used in an ongoing attack discovered last week by researchers at Dell SecureWorks in which users are redirected from compromised sites to an attack site that installs the Trojan.

The malicious ads discovered by GFI are sending users to a compromised site that displays a fairly legitimate-looking page that offers them a Flash download. That’s where ZeroAccess comes in.

“Note that the page isn’t actually “GetAdobeFlash.com”.   Instead, it redirects to a directory on a  compromised trucking site (arulbrothers.com), downloading a file from torreandaluz (dot) com/flash/Flash Player 10 Setup.exe. So let’s download that Flash Player and run it through VirusTotal, and no surprise:  It’s Sirefef,” GFI’s Alex Eckelberry wrote in a blog post.

The lesson from all of these kinds of campaigns and malicious ads is that if you’re looking for a specific application to download, go directly to that vendor’s site and find it there. If you’re looking for ZeroAccess, well, that’s even easier to find.

Suggested articles