As we reported earlier this month, Microsoft Live in Italy is serving massive amounts of infected pages through rogue search engine optimization by the Gromozon crew.
The Register has picked up the story and run with it.
Some researchers might get confused by this exercise — because the results aren’t showing malware.
However, they will if you’re using an Italian IP address. Also, according to Francesco Benedini, a Sunbelt researcher and one of the foremost experts on Gromozon, “the Gromozon group pulls off every trick to make sure that when you’re surfing one of those sites you’re doing it with a real browser instead of an http crawler like wget; that includes headers that wget doesn’t normally put in place, like “Accept-language”, “Accept”, a proper user-agent, and apparently even that actual referrer is one of their sites.
So if you don’t live-test it with a real browser you’re not being redirected to their malicious pages. Also, there’s a server-side detection of the user-agent as well; an XP machine with SP1 and IE6 gets infected right away, an XP machine with SP2 and Firefox doesn’t.”