Gromozon hijacks Italian MSN searches

Posted by   Virus Bulletin on   Mar 8, 2007

Link bombing pushes blended spyware attack to top of popular search results.

The gang behind the sophisticated Gromozon blended threat, also known as LinkOptimizer, is thought to have successfully subverted the Windows Live Search system to place links to their malware in prominent positions in result listings for several popular Italian-language search terms.

A series of carefully designed websites were apparently set up to create a 'link bomb', aka 'Google bomb' after the popularity of such tactics to boost a site's visibility in Google searches, generally for satirical or political purposes. By targeting commonly searched-for words, and creating sites including a complex network of links and keywords, the technique exploits the link-related ranking methodology of search engines to improve placement in the results returned for those searches.

The sites thus promoted are arranged in a complex spider-web similar to those used by the highly evolved Gromozon attack, a complex blend of exploits, obfuscated code, rootkit stealth and other techniques designed to implant malware silently onto systems browsing to infected sites, and to make detection and removal of the installed threats as difficult as possible, including attempts to block detection and removal tools and related web resources. Infected victims are then served adware, creating revenue for those behind the attack.

The threat was first reported in Italy and seems to have originated there, and many of the new sites are adorned with the Italian flag. A similar technique was used at the time, targeting Google searches to spread the infection, and while many of the sites linked to from the bombed searches seem to be clean at present it seems likely that they will be put to some malicious use. The effect has also been reported in search engines outside of Italy, and from other providers, but Microsoft's Windows Live system seems the most affected. Earlier this year Google introduced changes to combat such attacks on their searching system.

'Since the first detailed analysis of this threat last year, it has evolved considerably, with new attack vectors and self-protective measures added on a regular basis,' said John Hawes, Technical Consultant at Virus Bulletin. 'This search-manipulation technique seems to be part of an attempt to spread the latest variants of this nasty piece of malware to a wider audience of potential victims. Web users should be on their guard against suspicious-looking sites, and should ensure they always run fully patched, firewalled and protected systems.'

The link bombing was first reported by a blogger at Sunbelt Software, here, and more detailed analysis of the technique and its effects can be found at Symantec, here.

Posted on 08 March 2007 by Virus Bulletin




Latest posts:

New paper: Collector-stealer: a Russian origin credential and information extractor

In a new paper, F5 researchers Aditya K Sood and Rohit Chaturvedi present a 360 analysis of Collector-stealer, a Russian-origin credential and information extractor.

VB2021 localhost videos available on YouTube

VB has made all VB2021 localhost presentations available on the VB YouTube channel, so you can now watch - and share - any part of the conference freely and without registration.

VB2021 localhost is over, but the content is still available to view!

VB2021 localhost - VB's second virtual conference - took place last week, but you can still watch all the presentations.

VB2021 localhost call for last-minute papers

The call for last-minute papers for VB2021 localhost is now open. Submit before 20 August to have your paper considered for one of the slots reserved for 'hot' research!

New article: Run your malicious VBA macros anywhere!

Kurt Natvig explains how he recompiled malicious VBA macro code to valid harmless Python 3.x code.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.