msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Black Hat SEO for Virus Dissemination.

   24 Jan 09   Filed in Website exploits

In the previous post I talked about the exploit that redirected Googlebot to malicious sites. This time I’ll talk about how I investigated this issue and what I discovered.

This started about a week ago when I noticed a few sites with suspicious redirects in Unmask Parasites reports. There was a chain of two 301 redirects: -> “http://bablo .me .uk/”  -> “http://www. 524045. secki .info/”. Sometimes “bablo me uk” redirected to other sites that always contained a random 6 digit number as a subdomain name.  I decided to find out what was going on.

Investigation

Although the first time I followed the redirects I ended up on a bogus Antivirus 2009 site, this case didn’t look like the usual .htaccess redirect exploit since the search engine traffic was not redirected.

I googled for “bablo .me .uk” and found a Turkish site with the following PHP code:

$agent = $_SERVER['HTTP_USER_AGENT'];
if (eregi("google", $agent)) {header("HTTP/1.1 301?);
header("Location: http://bablo .me .uk/”);
exit(); }

This code checks “usert_agent” header of each request. If this headers contains word “google“, it responds with a redirect to “bable .me .uk” with a status code of 301 (moved permanently).

That looked like the answer. Indeed, the affected sites were PHP-driven (Joomla) and web-sniffer with the Googlebot user-agent reported the same 301 redirect.

What this exploit does?

The purpose of this code is to make Googlebot think that your web pages moved to another address and that new address should be indexed instead of the original web pages.

This means that every page that links to your web site, for Google, is now technically linking to “bablo .me .uk” and passing link juice to it.

As a result, web pages of a compromised site will be delisted from Google’s search results and the hackers’ sites will get decent (stolen) PageRank for free.

But this is only a theory. In practice it doesn’t work this smooth.

Where the redirect goes to?

Screenshot: Where the redirect goes to?

The landing pages for this exploit reside on websites like these:

  • www.678643 .2009clickme .com
  • www.619414 .aliyev .biz
  • www.524045 .secki .info
  • www.807119 .sozunu .de
  • www.142254 .operikizi .com
  • www.775050 .otaq .net
  • www.589590 .whatdidieat .com
  • www.129270 .2009google .com
  • www.128609 .2009index .com
  • www.240959 .2009bablo .com
  • www.761893 .islam .az
  • www.168667.2009filki .com
  • www.733380 .f-1. az

All these sites are hosted on the same server and they all distribute malware. If someone is interested, I have a list of almost 1000 domains hosted on this server.

IP Address: 64 .27 .5 .44
IP Location United States – California – Los Angeles – Airlinereservations.com Inc

The pages contain poorly formatted links and thumbnails. The links are generated every day using popular searches or headlines (for example there was a “MIRACLE ON THE HUDSON” link just a few hours after the accident).

Fake video players

Screenshot: Fake video players

Every link goes to a page with a fake video player (actually just an animated gif file) that requires downloading either TubePlayer.ver.6.20585.exe or load-player.exe to play the movie. To make people believe the movie is really worth watching, they display some fake social proof like “Rating 9/10, 43594 views, 504 people bookmarked this movie“.

The downloads are actually trojans and they are poorly detected by popular antivirus tools.

Alternative destinations

Sometimes these pages also link to infamous Antivirus 2009 sites or try to monetize the traffic displaying results pages on pay-per-click search engines: TopSearch10 (affiliate id = 34073) and Google’s Custom Search Engine (partner-pub-7411906915148435%3Ahjmb5p-w0ue – and it seems to be violating Google’s terms of services).

Strange SEO

Funny. These guys really want to rank well in organic search results, but their efforts are strange to say the least.

Their index pages contain the following META tags:

<META content="index,follow" name="ROBOTS">
<META content="1day" name="Revisit-After">

These are explicit instructions to search engine robots to index content of the pages, follow links and revisit the pages every day.

And the pages with the fake video players and virus downloads feature the following META tags:

<META content="View numbers+lady video, vid, movie, mov..." name="DESCRIPTION">
<META content="noindex,nofollow" name="ROBOTS">
<META content="1day" name="Revisit-After">

So they provide a preferred description to be used in search results and at the same time instruct search engines not to index the page (noindex). The nofollow instruction makes little more sense since the only link is the trojan download link. So why on earth do they want this page to be revisited every day? By the way, the “Revisit-After” meta tag is not supported by any major search engine.

OK, they steal some established PageRank from compromised sites, but then they spread it between hundreds of different sites/domains minimizing the effect. I will be surprised to see any of these sites ranking well.

And of course, Google is not happy with their Black Hat promotion and malicious content (by the way I reported these sites to Google).

Summary

I don’t know how successful this campaign can be for hackers, but it can be a real trouble for webmasters of compromised sites.  While it is very difficult to detect, it inevitably leads sites to complete delisting from Google’s search results.

If you don’t want this to happen, be sure to regularly check what Googlebot sees on your site.  You can use web-sniffer with the Googlebot user-agent. Or Firefox with the User Agent Switcher plugin (the user-agent string of Googlebot is “Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)“). And if you decided to use Firefox, make sure to install another useful plugin called NoScript – it’s your protection from malicious scripts.

Pay attention to any warnings in Google Webmaster Tools. You may find some indirect signs in the web crawl diagnostics section.

Unmask Parasites can also be used to detect this particular exploit. Any suspicious redirect should be investigated.

Update (January 27, 2009)Surprisingly, this Black Hat campaign really works. Check this post from the owner of a hacked blog.

These crappy sites managed to steal his positions is search engine results. Now Top 2 positions in Google search results for his keyword “Old Ten Speed Gallery” are occupied by malware sites (www.430823.geek6000 .com and www.192376.sozunu .de) that have nothing to do with this keyword.

Hijacked Google results

Moreover, the PageRank of the hacked site has dropped from 4 to 0.

In this case hackers managed to insert the 301 redirect code into a .htaccess file.

If you don’t want to lose search engine traffic, you’d better detect this sort of exploits at the earliest stage. And if you find the malicious code, be sure to investigate the issue and prevent recurrence.

To return your positions in search results, you might need to report spam results to Google. If you are registered with Google Webmaster Tools, you might prefer an authenticated form

Similar posts:

Comments are closed.