Gromozon hijacks Italian MSN searches

Posted by   Virus Bulletin on   Mar 8, 2007

Link bombing pushes blended spyware attack to top of popular search results.

The gang behind the sophisticated Gromozon blended threat, also known as LinkOptimizer, is thought to have successfully subverted the Windows Live Search system to place links to their malware in prominent positions in result listings for several popular Italian-language search terms.

A series of carefully designed websites were apparently set up to create a 'link bomb', aka 'Google bomb' after the popularity of such tactics to boost a site's visibility in Google searches, generally for satirical or political purposes. By targeting commonly searched-for words, and creating sites including a complex network of links and keywords, the technique exploits the link-related ranking methodology of search engines to improve placement in the results returned for those searches.

The sites thus promoted are arranged in a complex spider-web similar to those used by the highly evolved Gromozon attack, a complex blend of exploits, obfuscated code, rootkit stealth and other techniques designed to implant malware silently onto systems browsing to infected sites, and to make detection and removal of the installed threats as difficult as possible, including attempts to block detection and removal tools and related web resources. Infected victims are then served adware, creating revenue for those behind the attack.

The threat was first reported in Italy and seems to have originated there, and many of the new sites are adorned with the Italian flag. A similar technique was used at the time, targeting Google searches to spread the infection, and while many of the sites linked to from the bombed searches seem to be clean at present it seems likely that they will be put to some malicious use. The effect has also been reported in search engines outside of Italy, and from other providers, but Microsoft's Windows Live system seems the most affected. Earlier this year Google introduced changes to combat such attacks on their searching system.

'Since the first detailed analysis of this threat last year, it has evolved considerably, with new attack vectors and self-protective measures added on a regular basis,' said John Hawes, Technical Consultant at Virus Bulletin. 'This search-manipulation technique seems to be part of an attempt to spread the latest variants of this nasty piece of malware to a wider audience of potential victims. Web users should be on their guard against suspicious-looking sites, and should ensure they always run fully patched, firewalled and protected systems.'

The link bombing was first reported by a blogger at Sunbelt Software, here, and more detailed analysis of the technique and its effects can be found at Symantec, here.

Posted on 08 March 2007 by Virus Bulletin

 Tags

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

VBSpam tests to be executed under the AMTSO framework

VB is excited to announce that, starting from the Q3 test, all VBSpam tests of email security products will be executed under the AMTSO framework.

In memoriam: Prof. Ross Anderson

We were very sorry to learn of the passing of Professor Ross Anderson a few days ago.

In memoriam: Dr Alan Solomon

We were very sorry to learn of the passing of industry pioneer Dr Alan Solomon earlier this week.

New paper: Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

In a new paper, researchers Aditya K Sood and Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited in order to gather threat intelligence, and present a model of mobile AppInjects.

New paper: Collector-stealer: a Russian origin credential and information extractor

In a new paper, F5 researchers Aditya K Sood and Rohit Chaturvedi present a 360 analysis of Collector-stealer, a Russian-origin credential and information extractor.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.