Searching on the Internet is fun. You can find videos of cats making meatloaf, cats playing the hammer dulcimer and cats reading Shakespeare while juggling eggs. Oh, and you can find malware, too. Lots of malware. Researchers at GFI Labs are good at finding that malware, and they’ve come across a number of advertisements in Yahoo and Bing search results that are pointing users who searched for Firefox, Skype or other popular software to malicious sites that instead serve up rootkits and other malware.
The idea of redirecting unsuspecting users to malicious download sites is an old one, but it’s not often as blatant and bold as the most recent examples that GFI discovered. In these cases, simple searches on Bing and Yahoo for terms such as “Firefox download” and “Skype download” returned advertisements at the top of the results page that pointed users to the malware-download sites. These are not the sites you’re looking for.
In one case, the site that purports to be delivering a Firefox download instead installs a rootkit on the victim’s machine and also attempts to perform some click fraud operations in the background in Internet Explorer.
“Clicking the adverts takes end-users to sites such as river-park(dot)net, and they do a pretty good job of convincing visitors that these sites are the real deal (incidentally, you’ll notice that some of the ads display the “real” URL of the program mentioned, but take you to a rogue site such as the “Download uTorrent Free” advert above which actually takes you to aciclistaciempozuelos(dot)es/torrent),” GFI Labs’ Christopher Boyd wrote in a blog post.
Boyd said that the rootkit from the fake Firefox download site also was performing Google redirects, a popular technique that’s used by attackers and scammers to force users to visit a particular site, either for malicious purposes or for click fraud campaigns. Attackers have developed a long list of techniques for abusing search engines, and some of them have become quite effective over the years. SEO poisoning is high up on that list, as is the practice of setting up counterfeit sites that look somewhat like the legitimate download site for applications such as Firefox, Skype or security software and then delivering malware instead.
The search providers have taken steps recently to help users avoid these sites in their search results and in the ads on the side of search result pages, but it still can be difficult in some cases to discern which sites are legitimate and which are littered with malware and drive-by downloads. Boyd said that GFI Labs has informed Yahoo and Microsoft about the malicious ads and that the companies are working to remove them.