Gromozon hijacks Italian MSN searches

Link bombing pushes blended spyware attack to top of popular search results.

The gang behind the sophisticated Gromozon blended threat, also known as LinkOptimizer, is thought to have successfully subverted the Windows Live Search system to place links to their malware in prominent positions in result listings for several popular Italian-language search terms.

A series of carefully designed websites were apparently set up to create a 'link bomb', aka 'Google bomb' after the popularity of such tactics to boost a site's visibility in Google searches, generally for satirical or political purposes. By targeting commonly searched-for words, and creating sites including a complex network of links and keywords, the technique exploits the link-related ranking methodology of search engines to improve placement in the results returned for those searches.

The sites thus promoted are arranged in a complex spider-web similar to those used by the highly evolved Gromozon attack, a complex blend of exploits, obfuscated code, rootkit stealth and other techniques designed to implant malware silently onto systems browsing to infected sites, and to make detection and removal of the installed threats as difficult as possible, including attempts to block detection and removal tools and related web resources. Infected victims are then served adware, creating revenue for those behind the attack.

The threat was first reported in Italy and seems to have originated there, and many of the new sites are adorned with the Italian flag. A similar technique was used at the time, targeting Google searches to spread the infection, and while many of the sites linked to from the bombed searches seem to be clean at present it seems likely that they will be put to some malicious use. The effect has also been reported in search engines outside of Italy, and from other providers, but Microsoft's Windows Live system seems the most affected. Earlier this year Google introduced changes to combat such attacks on their searching system.

'Since the first detailed analysis of this threat last year, it has evolved considerably, with new attack vectors and self-protective measures added on a regular basis,' said John Hawes, Technical Consultant at Virus Bulletin. 'This search-manipulation technique seems to be part of an attempt to spread the latest variants of this nasty piece of malware to a wider audience of potential victims. Web users should be on their guard against suspicious-looking sites, and should ensure they always run fully patched, firewalled and protected systems.'

The link bombing was first reported by a blogger at Sunbelt Software, here, and more detailed analysis of the technique and its effects can be found at Symantec, here.

08 March 2007

Tags: del.icio.us digg this