Attackers hijacking web site search engines to push malware
There are reports of criminals abusing the search functions of ZDnet Asia and TorrentReactor to embed IFrames pointing to malicious web pages in the search results. The IFrames are embedded in the link to the Google search result. When the link is followed it does not open the stated known page at ZDnet or TorrentReactor. The victim is instead redirected to the page contained in the IFrame. That page then offers downloads of bogus antivirus programs or video codecs, which are said to contain the Zlob trojan.
The pages at ZDnet and TorrentReactor are not compromised in the process. However, what attackers seem to be exploiting is that the pages support redirects. As a result they can locally cache every search query to optimise their Google ranking. Security expert Dancho Danchev has published a detailed analysis of the problem in his blog. According to his findings, the criminals feed the search functions with popular search terms combined with the IFrames. This causes them to appear as one continuous result in Google later. More than 20,000 search results pointing to ZDNet Asia are said to have contained the IFrame redirect so far.
- ZDNet Asia and TorrentReactor IFRAME-ed, description by Dancho Danchev
- ZDNet Asia Compromised?, F-Secure advisory