A couple of weeks ago, Sarah Silverman was on Bill Maher’s Friday night show on HBO, where she showed her latest video. The next morning, I hopped on to Google to find it and forward it to some friends who had probably missed the show. The first 10 links on Google were sites that informed me my computer was infected by a virus, then downloaded a setup.exe file to the system to “clean” the viral infection.
Running a Linux system, I wasn’t afraid to download the files. I then submitted several to VirusTotal, a site that runs them through multiple anti-virus scanners. Only of of the samples was tagged as being “potentially” bad that Saturday morning.
Symantec has released a white paper about sites that install rogue security software, the characteristics of such software, and the methods of description. The report is well worth reading. It’s not the software I find interesting but what must be the highly automated systems that were able to mutate a trojan-dropper program to make it undetectable, determine hot search terms, and get pages up across the internet in a way that they turned up at the very top of the Google search results. Anyone with a web site struggles with Search Engine Optimization (SEO), the art and science of getting your web site noticed by search engines and returned near the top of any search that is relevant to your content. The evil doers who distribute the malware have this absolutely nailed.
The first step, I suppose, is to monitor topics of increasing interest using sites like Google Trends, , and . As topics rise in trends, the next step is to enlist a web of web sites (see the Symantec white paper for more about these) and publish pages with matching terms on the page and in the keyword META construct, and then use the search engine submission APIs to push these pages into the search engines. I suspect that the sites involved appear to be blogs, because those are more frequently spidered and pushed into the result stream than sites with static content. In parallel with this, there needs to be an engine that’s mutating the malware payload of the sites to evade detection by the anti-virus systems. This requires its own ecology of mutators, base programs, and testing machines that use the anti-virus engines themselves to kill off the mutants that won’t survive in the wild. The final step is a system that tears all of this down after a day or so, as the search engines determine the sites to be malware hosts, the anti-virus systems develop antibodies for the malware, and legitimate sites begin to move up in the search engine results.
Symantec and other security providers have a number of ways for individuals, search engine providers, and system administrators to reduce the threat from such sites. Ultimately, it comes down to the message from X Files, “Trust No One”. Undermining trust and a feeling of safety is what terrorism is all about.
Why can’t the minds behind this use their powers for good instead of evil?