Basically, search poisoning involves causing search engines to display links to websites with malicious software on them high up in the search results.
Cybercrooks use automation tools to build websites filled with hundreds of megabytes of commonly used search terms. These sites then get indexed and show up in the search results. Initially, the sites don’t contain malware but, as they climb in the search rankings the switch to an infected site is made. As an example, in a post-Thanksgiving 2007 attack, vandals loaded popular holiday gift search ideas into tens of thousands of malware-serving sites.
Comment spam left on bulletin board systems and blogs is also a common method of increasing the rankings. The comment spam can be left by botnets.
As with all Web page exploits, the page can have code on it that automatically infects; sometimes using unpatched holes. Or, the visitor will be prompted to download and install a browser helper or CODEC in order to properly view the site. Some of these prompts may even look like official prompts asking you to upgrade a browser helper (e.g., PDF viewer or Flash player) the visitor already has.
Search engines are usually quick to remove poisoned links once they are known but the malware producers are pretty clever about making and distributing this content so it’s almost a guarantee that some will slip by. For example, 27 January 2009, Google Video search was hit with a search poisoning attack
involving the W32/AutoTDSS.BNA! worm and associated X-rated website.
Summary
- Search poisoning involves causing search engines to display links to bad websites.
- The websites may have valid content for some period before turning malicious. This makes their search rankings higher.
- Search engines probably can’t keep up at all times.
 How Viruses Infect |
|
 |
 |
| Peer-to-Peer Network | Trusted Software or Site |