With the Winter Olympics in the news for the past couple of weeks, malware profiteers, as usual, are hard at work churning their "little greased wheels", looking to capitalize on any opportunity to get the slightest hint of public attention. Their strategy is simple: populate a malicious Web page with keywords that are likely to come up in news-related searches. The sooner such a page can be put up, the better chance it has of getting a high search engine ranking. Even though normally there aren't that many links to such pages from other sources, the fact that it has been published early enough might promise its placement in the top search results returned.

In addition, while the large number of sources covering the event would normally put the malicious page below search engine rankings, malware writers aim for a spike in the news activity, which narrows down the number of keywords from a larger, already popular set. An example of a Winter Olympic Games subset could be “gold medal short track skating” or something similar.

The high ranking for the malicious page may be short lived but sometimes it can linger "up in the charts" for days. That lingering popularity can be attributed to an early detection of the malware served by the page, which then references the page as a malicious source in security forums or other security related sites. It happens that some of the sites link to the malicious page, inadvertently helping its popularity. (This is one reason why we do not publish URLs to malicious pages and why elsewhere you often see contrived or deliberately broken URLs that might suggest, but not give access to the page being discussed.)

I stumbled on one such example that persistently seemed to appear: when the link is clicked, the attention of the user is drawn to somewhat typical scare tactics:

Regardless of the response, the page navigates to a fake representation of what appears to be a user’s hard drive, seemingly infected with various sorts of malware:

Once again regardless of the response, the user is prompted with a diaolog to download a binary file:

The binary itself (SHA1 e753a343ea58a4303ec259f2a971db3a508dd6a6) is detected as Trojan:Win32/Winwebsec by the latest Microsoft antivirus signatures.

So far there does not seem to be an easy solution to dealing with malicious pages popping up related to recent popular news search keywords. So as usual, stay vigilant to any suggestions to run an executable from an unverified source, and make sure that you use up to date antivirus definitions files.

-Oleg Petrovsky