Wikileaks Black Hat Campaigns (Dec 16, 2010)


SonicWALL UTM Research team discovered instances of polluted results appearing in search engine results for Wikileaks related search terms. Malware authors often use SEO poisoning campaigns to lure unsuspecting users in to clicking on malicious links strategically placed in search engine results. This technique has been traditionally used by Malware authors in Black Hat SEO campaigns around all major events. However this is the first time we have observed Wikileaks related terms being used in Black Hat SEO campaigns. The search term “Julian Assange Wikileaks” leads users to the polluted search result shown below:


If the user clicks on the malicious link in the search results then it performs the following on the victim’s machine:

  • The initial link redirects users to a FakeAV landing page.


  • If the user downloads and runs the FakeAV executable then it performs the following on the victim’s machine:
    • Drops the following files:
      • %temp%/systempack8_195.exe (Copy of Itself) [Detected as GAV: Kryptik.IXE (Trojan)]
      • %USERPROFILE%/Application Data/7b4dd2/IA7b4_195.exe [Detected as GAV: Suspicious#fakeav_2 (Trojan)]

    • Creates the following registry entry to ensure that the dropped malware runs on every system reboot:
      • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce: “%temp%/systempack8_195.exe”

Cyber criminals may be using the popularity garnered by wikileaks to their advantage as also observed from the mirror listing site “” which is hosted in an address space known to be under the control of cyber criminals. Although the hosted site has not been found serving any malicious content so far we advise users to exercise caution visiting this domain.

SonicWALL Gateway AntiVirus provided protection against this threat via following signatures:

GAV: Kryptik.IXE (Trojan)
GAV: GAV: Suspicious#fakeav_2 (Trojan)


Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.