As we reported earlier this month, Microsoft Live in Italy is serving massive amounts of infected pages through rogue search engine optimization by the Gromozon crew.
The Register has picked up the story and run with it.
To see for yourself, type “veicolo commerciale noleggio” into Live.com and watch what gets returned. The first result (at the time of writing, anyway) is for a site at b9n3q3.info/yb6u46p76.html, which uses a Javascript to redirect users to another site. This second site actively tries to install several varieties of malware, in some cases the nasty Trojan known as Rustock. This return is just one of many malicious referrals Live.com makes when entering the above search term, which is Italian for “commercial vehicle rental.”
Link here.
Some researchers might get confused by this exercise — because the results aren’t showing malware.
However, they will if you’re using an Italian IP address. Also, according to Francesco Benedini, a Sunbelt researcher and one of the foremost experts on Gromozon, “the Gromozon group pulls off every trick to make sure that when you’re surfing one of those sites you’re doing it with a real browser instead of an http crawler like wget; that includes headers that wget doesn’t normally put in place, like “Accept-language”, “Accept”, a proper user-agent, and apparently even that actual referrer is one of their sites.
So if you don’t live-test it with a real browser you’re not being redirected to their malicious pages. Also, there’s a server-side detection of the user-agent as well; an XP machine with SP1 and IE6 gets infected right away, an XP machine with SP2 and Firefox doesn’t.”
Alex Eckelberry