Google & malicious spam: a cat and mouse game

The good guys (Google in our case) are trying to stop the bad guys (blackhat SEO spammers) from infecting victims by leveraging legitimate resources. The bad guys try to stay ahead of the game by continually changing their attacks. Google has made visible changes in the last two weeks to Google Hot Trends and their search engine in order to stop spammers from abusing their system.


Tighter Google Hot Trends queries

The reason I became aware of Google's latest changes is that the scripts I use to harvest malicious spam links from Google results broke about 2 weeks ago! Fortunately for me, and probably for the attackers, the changes were trivial to get around.

The first change I noticed was for Google Hot Trends. Attackers use this page to identify popular search terms, which they then use for their spam pages. To get a list of 20 popular searches for any given day, the following request can be used:

   http://www.google.com/trends/hottrends?sa=X&date=

Where 'e' is in the form: YYYY-MM-DD. For example, "2010-9-7".

If the month, or day, is less than 10,  1 digit should be used. I had previously been able to access Google Hot Trends using 09 for September, and 07 for the day, for example:

   http://www.google.com/trends/hottrends?sa=X&date=2010-09-07

But now, you have to use the right format (no leading 0), or you'll get an error message:

New error message on Google Hot Trends

This change might aimed at stopping the spam SEO command center to get the list of keywords for their spam pages, but it is very easy to work around it.

Google "Sorry" page

If you manage a lot of queries for the popular searches, especially with the the parameters inurl: or site:, you can now receive the Google "Sorry" page very quickly, even when conducting manual queries.

Google "Sorry" page stops me from doing more queries

Once again, the workaround is easy: increase the time between subsequent Google queries.


Aggressive blacklisting

Google is usually very reluctant to blacklist the hijacked sites which host spam pages, and prefer to focus on blocking the actual malicious pages. But they have done just that for most of the infamous "Hot Video" fake video pages.

Google warns about the "Hot Video" spam pages

This means all users, including Internet Explorer users which do not benefit from Google SafeBrowsing, are better protected.

Attackers fight back

Attackers fight back by .... adding white space to their fake AV HTML code! Surprising, instead of using randomized Javascript obfuscation to hide the fake AV pages, the attackers have chosen to simply add random white space to the HTML code.

Fake AV source code with white spaces

This is actually an easy way to break security tools which rely on rigid signatures to detect such pages. Such tools include antivirus engines, deep packet inspection devices, etc.

Fake AV pages with obfuscated content remain very rare, I see only 1 or 2 instances a week out of hundreds of such pages. This is concerning as it suggests that such steps are not yet necessary as non-obfuscated pages aren't being detected.

AV vendors still asleep

The only people who seem to stay out of the game are antivirus vendors. The detection rate of malicious executables disguised as antivirus solutions is still very low, often under 15% like as with this example.

We, as security researchers, have to keep monitoring malicious spam SEO as attackers keep tweaking their spam and malicious pages to keep our protections up to date.

-- Julien