Polish Air Accident and Blackhat SEO

Thanks to Marcin Gajewski for pointing out that Lech Kaczynski was the President of Poland, not the Prime Minister. I really shouldn't try to blog after a full day's travelling :(

While I was enjoying a rare few days off, my colleagues at ESET Latin America were posting a blog article about the ugly way in which the news of the air crash at Smolensk in which 97 people died (including the Polish President and other members of a Polish delegation), was misused by malware gangs. We are, by now, all too familiar with the use of items of news (real or fabricated, tragic or trivial) as a hook on which to hang SEO poisoning attacks, but here is another instance.

As usual, errors in translation or interpretation are down to me.

As we've become far too accustomed to reporting, at this moment malware is being propagated by exploiting the fatal accident that befell the Polish president and his retinue a few hours ago. If any search engine is used to look for news and further information on this story, hundreds of the malicious URLs used to spread malicious software that have been created are likely to appear in search results.

At the time of writing, the majority of search results direct the potential victim to a domain in Poland, using a format like this:

http:// [random domain name] .com/lvlne.php? on=polish%20news%20video

That PHP takes to the user to a site hosted in Poland which contains fake anti-virus:

http://hur497. [malicious domain] .pl/in.php? t=cc&d=10-04-2010_x_1023&h=[random domain name].com

The format of the second URL shows the date of the campaign (in this case 10th April) and the domain from which the search originated. Criminals use these data to ascertain what payment is due to their "business" partners (yes, of course, malware is a business...) on the basis of the number of visits that a particular group's activities generated.

The "use" of a “product” like so-called "CleanUp Antivirus"  requires registration, payment for which may finish up as being more expensive than a real anti-virus product.

As always in these cases, we recommend that you maintain up-to-date (and genuine) security tools and to verify the sites that are being visited.

Cristian Borghello
Director of Education

Cristian also reports that, as we'd expect, search engines are now flagging some malicious sites as potentially harmful.

David Harley CISSP FBCS CITP
Research Fellow & Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter:
http://twitter.com/esetresearch; http://twitter.com/ESETblog
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Also blogging at:
http://amtso.wordpress.org/
http://avien.net/blog
http://blogs.securiteam.com
http://blog.isc2.org/
http://macvirus.com/
http://chainmailcheck.wordpress.org
http://smallbluegreenblog.wordpress.com/