[Interim updates removed: later information on Twitter profile attacks and Blackhat SEO attacks using keywords related to this topic to spread malware, has been made public in a later blog at http://www.eset.com/blog/2010/03/30/here-come-more-of-the-ghouls.]

Following this morning's bombings in the Moscow Metro (subway system), Aryeh Goretsky suggests the likelihood of criminals using "blackhat SEO" (search engine optimization or index hijacking) to drive users of Google and other search engines towards malicious sites: for example, sites pushing fake anti-virus software.

Since we already know that the gangs have no hesitation in exploiting human tragedies in order to turn a profit, he's right: it is all too likely. So it makes sense to be cautious about following links on the topic, especially the ones that appear around the top. The gangs have become expert at manipulating search engine ranking so that malicious URLs are among the first links you see in a search.

Given that there are already videos associated with the incident like that used by the BBC in its story at http://news.bbc.co.uk/1/hi/world/europe/8592190.stm, there's a ready made "cover story" for malicious programs masquerading as video footage. (Though criminals often display some ingenuity in inventing less obvious approaches to social engineering.) In fact, the BBC story actually invites people to send in pictures and video. I hope they have good gateway protection.

Not so long ago, it was more common for such malware to be distributed as message attachments rather than URLs. The recent World Cup malware described at http://www.eset.com/blog/2010/03/26/world-cup-malware-the-kick-off was also distributed as an attachment (in this case a PDF, using an already-patched Adobe vulnerability). Of course, that's a common approach in spear-phishing (highly targeted phishing messages using attached malcode). 

That may be an approach we're going to see more of in wider attacks with spammed out malware, which has unfortunate implications for gateway filters, since an awful lot of legitimate PDFs get traded in email.

I hope this isn't one of those self-fulfilling prophecies I get nervous about generating, as a writer. It makes me feel almost as ghoulish as the unpleasant people who latch on to tragedies like this and exploit them for gain. :(

David Harley FBCS CITP CISSP
ESET Research Fellow & Director of Malware Research