Holiday Shopping - Black Hat SEO

November 22, 2010

SonicWALL UTM Research team discovered a number of polluted results appearing in search engine results for holiday shopping related search terms. Malware authors often use SEO poisoning technique to lure unsuspecting users into clicking on malicious links strategically placed in search engine results. For instance, search term "Walmart Black Friday Sales 2010" leads users to the malicious search results shown below


If the user clicks on the malicious link then it performs the following on the victim's machine

  • The initial link redirects users to another page containing a JavaScript, an extract of which is shown below. Based on the user's web browser it redirects to an appropriate landing page.


  • If the user is using Internet Explorer it redirects to a FakeAV landing page


  • If the user is using Firefox then it redirects to a fake Firefox update page suggesting an upgrade to flash player:


    If the user downloads and executes the fake flash update then it performs the following on the victim's machine

    • Drops files:
      • %temp%/Img.exe [Detected as GAV: Renos.MJ_4 (Trojan)]
      • %temp%/Imh.exe [Detected as GAV: Renos.MJ_4 (Trojan)]
      • %temp%/Imi.exe [Detected as GAV: Renos.MJ_4 (Trojan)]
      • %windir%/Ipisoa.exe (Copy of Img.exe) [Detected as GAV: Renos.MJ_4 (Trojan)]

    • Creates registry entry to ensure that the dropped malware runs on every system reboot:
      • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun: "%temp%/Imh.exe"
    • Posts confidential data back to remote servers


    • It redirects the browser and opens pop-up windows

Similar results were observed for other post Thanksgiving holiday shopping season related search terms like "Black Friday" and "Cyber Monday".

SonicWALL Gateway AntiVirus provides protection against this threat via following signatures:

GAV: Renos.MJ_4 (Trojan)
GAV: GAV: FakeAlert.SR (Trojan)
GAV: JSRedir.BF (Trojan)
GAV: Suspicious#fakeav.html (Trojan)