Domain name registration - a malware spreading vector

Search engines search

Popular search terms are strongly influenced by the hot topics talked about by the general public. During the latest weeks one would presume that search topics like "swine flu" and "H1N1" are among those most searched after. It seems like a safe bet to guess that neither of these were among the top million search topics half a year ago. Another popular search topic is celebrity names.

New chat topics (and thereby search engine terms) are particularly interesting for persons with malicious intent.

The (obvious) chapter title tells us that search engines search (the Internet). The aim for such engines is to provide those interested in particular information the most relevant information at the top of a listing of web pages that meet the search criterion.

The search engines use several techniques to do this, some of which are:
  • domain names that correspond to the search term are taken into account,
  • more links from other web sites are better than less links,
  • using the term searched after twice on a page is in general better than once,
  • using the search term in page title as well as text helps the ranking.
See for example information from Google to learn more about how that particular search engine uses different criteria in ranking pages. In addition to automatic ranking criteria it is possible to pay to get ones pages listed higher.

If there already exist lots of pages with information that are well designed regarding a search term, it is more difficult for a new web page/site to get among the top listed. New terms on the other hand require less, and a newly registered domain name with corresponding web pages can easily be listed high on a search result listing.

Since the page ranking is almost exclusively automated, it is possible for a person with malicious intent to get her web site listed high by registering one or several cleverly designed domain names. It should be mentioned that some search engines, for example Google, attempt to block sites that are known to have harmful content. A person who wishes to utilize her web site to spread malware, may therefore use clever social engineering techniques to trick surfers into clicking on download links and installing harmful content, instead of relying on automatic infection techniques.

This nomain name registration technique became massively popular with the Storm/Tibs family of worms, which appeared a few years ago and is still to some extent active.

The examples we have seen of spreading malware through web sites with domain names corresponding to popular events, are mostly what we call rogue programs. Antivirus and antispyware programs that in reality are advertising programs and/or extortion software are typical examples.

A general piece of advice

What should you do then if you are interested in information about something "hot" that interests you? Not using the available search technology seems like a too extreme approach.

Some general pieces of advice are:
  • Use well-known news sites to get news information.
  • Do not install/run software available from web sites that you are not familiar with and trust.
and of course the ever-valid one:
  • Use healthy skepticism!

It may be obvious, but nevertheless we would like to stress, that not all domain names registered with popular search terms as part of the domain name are malicious or created with bad intent. There are perfectly legitimate reasons to do this. This article's main message is to point to yet another technique used by a person with criminal intensions to get her web site more tempting/accessible.

We recommend that you are careful when/if you test the content of this article by performing live testing of search engine terms and opening the resulting web pages.