Miscreants have set out to poison search results with links to malware infested sites via a new campaign.

Users searching Google or other prominent search engines for sites referring to innocuous terms ranging from "alternative router firmware" to "cotton gin and slavery" are often confronted with a list of results where at least some point to malware.

Comment spam attacks, which involve posting links to dodgy sites on blogs, have been taking place for at least three years. Search engines such as Google give priority to sites linked to from popular web destinations. Spammers and their hacking accomplices try to take advantage of this behaviour in order to illicitly gain higher places in search page rankings.

Crackers are now getting into the act in order to punt malware. The malign sites often appear in the top ten lists for a particular search term though rarely (if ever) as a top entry. Miscreants are essentially gaming search engines' ranking systems by automatically posting links to malign sites in blog and forum posts.

It's another example of bots being used to further an attempt to create further opportunities to ensnare the unwary, thereby creating a bigger network of compromised machines.

Anti-spyware firm Sunbelt Software said hackers have also created "tens of thousands of individual pages" that have been meticulously established with the goal of obtaining a high search engine ranking. "Just about any search term you can think of can be found in these pages," reports Sunbelt researcher Adam Thomas.

Sunbelt has unearthed evidence of a network of bots whose sole purpose is to post spam links and relevant keywords into online forms. This network, combined with thousands of pages, have given the attackers very good (if not top) search engine positions for various search terms, the security firm reports (http://sunbeltblog.blogspot.com/2007/11/malware-redirects-aftermath_27.html).

Surfers who stray onto the malicious sites with vulnerable systems are infected with a strain of malware called Scam-Iwin, using the infamous iFrame IE exploit. The exploit was patched by Microsoft months ago, but many vulnerable systems remain.

Computers infected with Scam-Iwin transmit false clicks to the hacker's URLs without the user's knowledge. These bogus hits generate income for hackers through a pay-per-click affiliate program. Scam-Iwin also attempts to download other items of malware (including Trojans and keystroke loggers) onto compromised PCs, Sunbelt reports.

Sunbelt has posted screenshots of several Google search results featuring links to malware-infecting sites, along with an additional explanation of the attack, here (http://sunbeltblog.blogspot.com/2007/11/breaking-massive-amounts-of-malware.html). ®

Related stories

Database Trojan infests pro-Tibet websites (14 April 2008)
http://www.theregister.co.uk/2008/04/14/database_trojan/
Trend Micro gets slashed in attack of the killer iframes (13 March 2008)
http://www.theregister.co.uk/2008/03/13/trend_micro_website_infected/
Hackers find clever new way to hose Google users (6 March 2008)
http://www.theregister.co.uk/2008/03/06/googe_iframe_piggybacking/
Web browsers on the front line of exploitation (15 February 2008)
http://www.theregister.co.uk/2008/02/15/browser_exploitation/
Dodgy affiliates use malware to flog Symantec and Check Point (12 February 2008)
http://www.theregister.co.uk/2008/02/12/malware_punts_symantec_check_point/
Spotted in the wild: Home router attack serves up counterfeit pages (23 January 2008)
http://www.theregister.co.uk/2008/01/23/pharming_attack_in_the_wild/
Most home routers 'vulnerable to remote take-over' (15 January 2008)
http://www.channelregister.co.uk/2008/01/15/home_router_insecurity/
California gov site invaded by smut and malware again (1 December 2007)
http://www.theregister.co.uk/2007/12/01/government_sites_serve_malware/
Hackers re-poison Google search results (30 November 2007)
http://www.theregister.co.uk/2007/11/30/google_poisoning_update/
Celebrity spam gang whips up a storm (28 November 2007)
http://www.theregister.co.uk/2007/11/28/celebrity_spam_botnet/
Al Gore climate change site hacked (27 November 2007)
http://www.theregister.co.uk/2007/11/27/climate_change_hack/
Daft users and insecure web apps dominate threat index (27 November 2007)
http://www.theregister.co.uk/2007/11/27/sans_top_20_security_risks/
Fake smut codec ruse used to punt Google Pack (12 November 2007)
http://www.theregister.co.uk/2007/11/12/google_pack_fake_codec_ruse/
Government websites invaded by smut and spyware (8 October 2007)
http://www.theregister.co.uk/2007/10/08/ca_smut_spyware/
Storm Worm descends on Blogger.com (29 August 2007)
http://www.theregister.co.uk/2007/08/29/storm_hits_blogger/
VXers publish blog poisoning tool (30 July 2007)
http://www.theregister.co.uk/2007/07/30/blog_poisoning_tool/
Blogger.com 'riddled' with malware (15 March 2007)
http://www.theregister.co.uk/2007/03/15/blogger_malware/