Lately we have been looking into a Search Engine Optimization (SEO) operation that uses the top search terms, supplied by Google Trends, to promote blogs hosted on Windows Live Spaces and AOL Journals. These blog pages then use fake videos to entice users into clicking on them and installing a fake video codec.
Using Google to search for yesterdays top trend; ‘oj simpson verdict’ on live.com gives several suspect results.
The suspect Windows Live Spaces pages are all similar to the one shown below. A similar thing is happening with AOL Journals blog pages.
The image of a media player (which we have seen many times before in spam campaigns) is a link to the domain video.xmancer.org. This domain acts as a re-director sending the victim to one of several domains hosting another image of a media player.
This image is a link to the malware executable, hosted on a fourth domain. The malware is not well detected by antivirus programs. Once run it installs one of the many rouge antivirus programs such as System Antivirus 2009 and VirusResponse Lab 2009 shown below.
This whole operation is just one example of how criminals are using free services such as Windows Live Spaces to help them spread malware and shows that search results and legitimate services can't always be trusted. Another example that we wrote about last week is the use of livefilestore.com to redirect users to malware serving websites.
