Security Threat Analysis SEO Poisoning Malware

Updated: October 18, 2010

The Security Threat Analysis SEO Poisoning Malware places a .php with a five letter random name and a set of .html files in a directory called .files, onto a website to be used as part of a SEO poisoning campaign. The .php file, with an URL parameter of popular search term appended, is linked to from other hacked websites. You can see the currently linked to pages at,, or When Google and other search engines crawl those URLs they are served a page designed to rank highly for the search term. When one of the URLs is accessed by a user though a search engine the web page redirects the user to a fake anti-virus scanner through a sub-domains of and and are not themselves a malware website, they provide sub-domains for people to host websites. If URLs are accessed directly by a user the web page redirects to the user to The malware has mainly infected many websites hosted by Bluehost (HostMonster, FastDomain), Endurance International Group (IPOWER, IPOWERWEB, BizLand, etc), and DreamHost.