Defending against SEO poisoning attacks with Layered Protection

The use of search engine optimisation (SEO) in malware distribution has been discussed many times on this site. In most cases, the attacks are used to redirect unsuspecting users to scareware (fake anti-virus) sites, where they are tricked into installing fake AV. The attacks have historically been Windows-specific, but recently we have seen the attackers targeting Mac users as well.

From the attackers’ point of view, a crucial part of any web attack is about controlling the user traffic. There are several ways of achieving this, one of
the more effective being compromising legitimate sites (injecting web pages with some silent redirect). Whilst this still remains an effective way of
capturing the user traffic, SEO has undeniably grown in popularity. As we highlighted in a previous technical paper, there is no technical barrier for SEO to be used in malware distribution, primarily due to the use of kits that facilitate the construction and management of the SEO sites.

Recently we have been tracking a fresh burst of SEO attacks that appear to be successfully capturing a lot of user traffic. The kit being used in these
attacks has already been well described, so I will not repeat that information here. Instead, what I hope to reveal are the various stages of the attack and where Sophos protection fits in.

Sites hosting the SEO pages

The SEO pages used in these attacks are hosted within a large number (thousands) of compromised, legitimate sites. Looking at a sample of the sites hosting the SEO pages that we have seen over the past 24 hours, it is clear that the problem is not isolated, with many hosting providers hit.

I quickly cross-checked this snapshot of compromised sites against the latest Alexa top 1 million data. Just over 50 of the sites feature in the Alexa rankings, with 3 ranking in the top 100,000, one of which is at position 2548! This illustrates the advantage the attackers have in hosting the kit within legitimate sites, piggybacking on their existing positive reputation, thereby making it harder for the search engines to filter.

A question we are commonly asked is what topics/keywords are actually being poisoned? The answer to this is pretty much anything you can imagine (and more besides). The topics we have seen poisoned recently range from the predictable (“Lady Gaga’s shoes“, “Justin Bieber“) through to the more unusual (“ancient Inca masks“, “3D origami skull“).

Attack flow

Users clicking through from the search engine results to one of these SEO pages are redirected to a remote traffic direction system (TDS) server, step 3 in the diagram below. Using the TDS allows the attackers to control the remainder of the attack. In the current attacks, user traffic is being split down at least two paths. In some cases victims are simply redirected to scareware sites, in others they are redirected to exploit sites. For the latter case, the diagram below illustrates the various steps involved in the attack.

The steps are described below:

  1. The attackers win the game of cat and mouse with the search engines, and succeed in getting links to poisoned SEO pages in the search engine results.
  2. A user clicks on one of the links to the SEO page. The PHP script used in the SEO kit determines this is a user that has arrived via a search engine, and simply redirects them to the TDS server.
  3. The TDS server redirects the user again, to a page within another compromised web site.
  4. Another HTTP 302 redirection, this time to the site hosting the exploit script (suspected to be constructed using the Blackhole exploit kit).
  5. The script loaded on the exploit site is heavily obfuscated in an effort to thwart detection. The script is responsible for loading malicious PDF and Java components that exploit several client vulnerabilities.
  6. If any of the attempted exploits succeed, the desired payload will be installed on the user’s machine.

As noted above, these exploit sites are thought to be constructed/managed with a kit known as Blackhole, which hits users with content to exploit several vulnerabilities, including:

  • CVE-2009-0927 (PDF getIcon)
  • CVE-2008-2993 (PDF util.printf)
  • CVE-2007-5659 (PDF collectEmailInfo)
  • CVE-2010-1423 (Java)
  • CVE-2010-1885 (HCP)
  • CVE-2006-0003 (MDAC)

Defending the SEO attacks

As illustrated in the diagram above, there are multiple steps in the infection chain where we provide protection, before the victim is infected with the
payload. In terms of detections:

  • Mal/SEORed-A – block access to the SEO pages containing the poisoned search terms.
  • Troj/ExpJS-BP – block access to the script used on the exploit site.
  • Troj/PDFJS-RL – block access to the malicious PDF files used by the exploit kit.
  • Mal/JavaDldr-B – block access to malicious Java files used by the exploit kit.

In addition to these detections, customers using our reputation data (via the Sophos Web Appliance or as part of Live Protection on the endpoint) will also be protected from these attacks thanks to URL filtering.

The success of these latest SEO attacks is perhaps best illustrated by reviewing prevalence data for the Mal/SEORed-A detection. Looking at a 24-hour snapshot of detections from Sophos-protected endpoints shows Mal/SEORed-A in 3rd place! Clearly the SEO techniques are succeeding in capturing the traffic of an awful lot of users.