Several weeks ago, my wife was searching online for the words to one of Shel Silverstein’s poems.  With the Internet within closer reach than the bookshelf in our den, she went to Google and typed in the key words “shel silverstein pancakes,”  and within 0.32 seconds got several matching results (Image 1).

Image 1: Google Search Results

She clicked on one of the top results on the first search page and almost instantly got prompted by a message box (Image 2) indicating something to the effect that her computer contained various signs of viruses and immediately needed to be examined.  It then offered an option to perform a security scan.

Image 2: Infection Warning

We keep our OS well patched and the anti malware software up to date, so she decided to decline the offer and clicked on the cancel button.  The message box went away but then another screen popped up telling her that her system was being scanned for viruses.  Thinking that she may have clicked the OK button instead by mistake, she waited for the scan results.

Image 3: Infection Warning

When the scan was complete (within 15 seconds or so), she was informed that her computer indeed had been infected with several nasty viruses (Image 3) and that she would need to download and install the offered security program in order to remove these viruses (Image 4).

Image 4: Malware Download Dialog Box

At that point, she realized the malware itself was communicating with her and trying to install onto her machine. She clicked the Cancel button in the dialog box, but instead of terminating the installation, she was redirected back to the first message, again warning her that her computer showed signs of infection and needed to be examined. Essentially, she was trapped in a loop and unable to close the browser. After another round of scans and cancellations, she finally brought up the Task Manager and force-terminated the process.

Several days later, over dinner, she casually mentioned her run-in with the malware. I made a sly comment that these are the rewards we reap for hanging around dubious websites. She took offense. “Dubious websites?” she said, mocking me. “This was the fourth entry on the first page of Google search results. How ‘dubious’ can that be?”

I found it hard to believe that the malware writers were clever enough to bypass Google’s filters and climb that high in the search rankings. Curious, I performed the same search she had done just a few days earlier. My results were almost identical—except that, ironically, her malware link had moved even higher in relevance.

Rather than clicking on it, I copied the URL and navigated directly to the website (Image 5).

 

Image 5: Actual page with download link and keywords

It turned out to be a newsgroup called derkeiler.com, which is one of the most popular and most heavily advertised mailing list archives on the net.  Looking closer at the page, I found the following:

1. At the top was the bold title “SHEL SILVERSTEIN”
2. Below the title was a bogus poster name in the format of name@xxxxxxxxx.com
3. Next was a link that activated the malware download script.
4. Finally at the bottom of the page was an extensive list of hundreds of keywords that were associated with the works of Shel Silverstein.

I looked at the parent directory page and found a long list of dated directories (Image 6).

Image 6: Parent Directory (note heavy commercial advertising)

Each one of these directories contained dozens of linked entries. After randomly clicking on about 30 links, I determined that most of them were identical to the Shel Silverstein page (Image 5) in terms of content, layout and malware activation functionality.  I checked out several other public newsgroups and “personal” web sites to compare. It appeared as if indeed there was a method to this madness.

Image 6: Sample directory contents with links to malware download

So what does it all mean? The MO appears to be as follows:

1. Malware Deployment:
   The creators install the malware on a large number of personal websites—some breached, others purpose-built. One example is Rosuto Samurai, allegedly created to support fantasy gaming but, in reality, containing nothing but malware.

2. Topic Page Generation:
   They then automatically create hundreds of highly popular topic pages (e.g., iPods, Shel Silverstein, movies, etc.) across newsgroups and mailing lists. Each page includes a link to the malware distribution site.

3. Keyword Amplification:
   Each page also features a massive list of keywords, likely generated through a machine learning process, associated with the topic. The purpose of the keyword list is to maximize the page’s visibility to search engine spiders.

4. Search Engine Manipulation:
   Search engines crawl these pages, detect the dense web of related keywords and hyperlinks, and algorithmically conclude that the content is highly relevant. As a result, these pages receive top rankings—appearing as high-priority hits in user search results.

The outcome of this strategy is cheap, highly effective SEO penetration and viral dissemination of malicious content (no pun intended) via top search rankings.

Another observation—rich in irony—is that major vendors like Microsoft seem completely unaware of this scheme. They are actively purchasing ad space on these compromised sites, including ads for their own security products. In doing so, they are unwittingly sharing digital real estate with some of the most aggressive malware distribution hubs on the internet.

Stay tuned: in a future post, we’ll dig deeper into who is actually developing and marketing this malware.

Quis Custodiet Ipsos Custodes?