NEWS FROM THE LAB - Thursday, March 4, 2010

SEO Poisoning Sites Use Flash for Redirection Posted by Response @ 10:06 GMT

Another day, another news, and well… another SEO poisoning stint.

PDF Google

Using PDF files in SEO poisoning is recent, but not exactly fresh news. So we were thinking of just adding the malicious URLs to our Browsing Protection and creating detections for the corresponding files… Then, we saw something:

isitpossibletobehappy swf

Ok, could be a one time thing, so we checked the other sites:

olympiccoverage swf

And in the usual geeky fashion in the lab… we got excited.

When decompressed, the SWF contains this:

swf code

Since a lot of websites use SWF, most users have already installed Flash support in their browsers, thereby also enabling support for the malware behavior.

The SWF is of course the key to getting to:

pdf scandownload

pdf security antivirus download

pdf rogue scan

It seems that the bad guys want the malicious URLs to be hidden inside the SWF.

Perhaps it makes them sleep better at night thinking that their sites won't be discovered very soon.

The malicious URLs are now blocked via our Browsing Protection and malicious files are detected.

Response post by — Christine and Mina