Security Threat Analysis SEO Poisoning Malware
Updated: October 18, 2010
The Security Threat Analysis SEO Poisoning Malware places a .php with a five letter random name and a set of .html files in a directory called .files, onto a website to be used as part of a SEO poisoning campaign. The .php file, with an URL parameter of popular search term appended, is linked to from other hacked websites. You can see the currently linked to pages at http://www.getalllinks.info/links/0.txt, http://www.dvc44ftgr.com/links/0.txt, or http://www.uniteddomainsweb.com/links/0.txt. When Google and other search engines crawl those URLs they are served a page designed to rank highly for the search term. When one of the URLs is accessed by a user though a search engine the web page redirects the user to a fake anti-virus scanner through a sub-domains of osa.pl and co.cc. osa.pl and co.cc are not themselves a malware website, they provide sub-domains for people to host websites. If URLs are accessed directly by a user the web page redirects to the user to cnn.com. The malware has mainly infected many websites hosted by Bluehost (HostMonster, FastDomain), Endurance International Group (IPOWER, IPOWERWEB, BizLand, etc), and DreamHost.