Holiday Shopping – Black Hat SEO (Nov 18, 2010)


SonicWALL UTM Research team discovered a number of polluted results appearing in search engine results for holiday shopping related search terms. Malware authors often use SEO poisoning technique to lure unsuspecting users into clicking on malicious links strategically placed in search engine results. For instance, search term “Walmart Black Friday Sales 2010” leads users to the malicious search results shown below


If the user clicks on the malicious link then it performs the following on the victim’s machine

  • The initial link redirects users to another page containing a JavaScript, an extract of which is shown below. Based on the user’s web browser it redirects to an appropriate landing page.


  • If the user is using Internet Explorer it redirects to a FakeAV landing page


  • If the user is using Firefox then it redirects to a fake Firefox update page suggesting an upgrade to flash player:


    If the user downloads and executes the fake flash update then it performs the following on the victim’s machine

    • Drops files:
      • %temp%/Img.exe [Detected as GAV: Renos.MJ_4 (Trojan)]
      • %temp%/Imh.exe [Detected as GAV: Renos.MJ_4 (Trojan)]
      • %temp%/Imi.exe [Detected as GAV: Renos.MJ_4 (Trojan)]
      • %windir%/Ipisoa.exe (Copy of Img.exe) [Detected as GAV: Renos.MJ_4 (Trojan)]

    • Creates registry entry to ensure that the dropped malware runs on every system reboot:
      • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun: “%temp%/Imh.exe”
    • Posts confidential data back to remote servers


    • It redirects the browser and opens pop-up windows

Similar results were observed for other post Thanksgiving holiday shopping season related search terms like “Black Friday” and “Cyber Monday”.

SonicWALL Gateway AntiVirus provides protection against this threat via following signatures:

GAV: Renos.MJ_4 (Trojan)
GAV: GAV: FakeAlert.SR (Trojan)
GAV: JSRedir.BF (Trojan)
GAV: Suspicious#fakeav.html (Trojan)


Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.