Manipulating the Internet Muttik

Traditionally, viruses and other malware were distributed using push techniques – viruses directly or malware authors actively distributed copies around. With the exception of auto-executing worms this method of distribution requires user intervention – a user has to click on an email attachment or launch a program. And users have been told for years to be very cautious about all unsolicited emails. So, in such situations users’ defences are higher and such objects are more likely to be avoided or treated with caution. The situation changes if a user himself is browsing the Internet looking for something. Being motivated to complete what he perceives to be his own task, (s)he is very likely to lower his defences. We are seeing now that ‘bad guys’ are manipulating the Internet to make sure their malicious software is executed by a large number of unsuspecting users. So far we have observed at least five different kinds of attack: manipulation of search engines, DNS poisoning, hacking into websites, domain hijacking and exploiting common user mistakes (typos). We analyse and dissect a case where malicious code was distributed using a technique we called ‘index hijacking’ – when popular search engines point unsuspecting users to malicious sites. We also investigate a case of ‘link hijacking’, where a legitimate website pointed users to a bad site involved in ‘index hijacking’. We also discuss DNS poisoning, when users type a URL correctly, but manipulated DNS servers bring them to a completely different location. And finally, we touch on the topic of ‘typosquatting’ for malware distribution – exploitation of common users’ mistakes such as typos in a website’s URL. Important note: many URLs given in this paper point to malicious websites. Do not follow these links. If you do, it is at your own risk.