Incident Response, Malware, Network Security, TDR

Poisoned search results capitalize on Conficker’s popularity

For weeks, cybercrooks have been leveraging the internet's most popular search terms to boost the results ranking of their bogus anti-virus-hawking websites.

For example, the death of actress Natasha Richardson was one of latest search terms used to distribute a class of malware known as "scareware." Now, with the notorious Conficker worm set to be called into action next week, the worlds of pop culture and security are colliding.

Sensing that many curious computer users are going to be searching the web for details on the infectious worm, the authors of rouge anti-virus programs -- which, once installed, attempt to scare users into purchasing non-working products out of fear their machines are infected -- are employing search engine optimization tactics to hit as many people as possible. This includes building their malicious sites to include keywords related to Conficker, Symantec Security Response researchers said this week.

"Let's say you are curious about Conficker, or you think your computer might be infected by Conficker," Symantec's John Park wrote Wednesday on a company blog. "By simply searching [Google] for 'Conficker C,' page one of the results includes a link to an infected site being used to spread a fake anti-virus program."

"Even though we do not think the author of this rogue application is related to the author of Conficker, this incident shows us that the authors and affiliates of misleading applications don't want to miss a single opportunity to capitalize on established media attention," Park added.

Mark Harris, global director of SophosLabs, told on Wednesday that these fake anti-virus programs are becoming more rampant, and their creators may be using automated techniques to inject timely search terms into their websites.

A Google spokesman told on Thursday that the internet giant constantly is monitoring the web for poisoned search results.

"We work hard to protect our users from malware," he said. "We've removed many of these types of results from our search index. However, this issue affects more than just Google, as these sites are still part of the general web. In all cases, we actively work to detect and remove sites that serve malware from our index. To do this, we have manual and automated processes in place to enforce our policies."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.