ReadWriteWeb

In 2009, security company Symantec noticed a particularly complex malware code infecting users' computers. At first the company did not think much of it outside of the fact that is was unusually complicated. The company wrote detection and repair codes for it. Once detected, malware usually shrivels and dies. Yet, the malicious code, known as W32.Xpaj.B, did not go away. It morphed and evolved, allowing one group of cyber criminals to use it for years to perpetrate a search engine click-fraud scheme that netted the hackers an easy $62,000 from unwitting advertisers.

Symantec was able to track down the command and control servers that were running W32.Xpaj.B and did a full breakdown on how the scam worked. The results were surprising - a complex code working on top of a simple infrastructure - and showed how easy it is for criminals to set up malware workshops and watch the money roll in.

Search engine poisoning is the most prevalent form of malware delivery on the Web, according to the security researchers at Blue Coat. In its 2011 Mid-Year Security Report Blue Coat outlined the biggest threats to Web security and the attack vectors that malware providers are using to infiltrate users' computers.

Search engine poisoning (SEP) makes up 40% of malware delivery vectors on the Web. The practice is when malware and spam attackers inundate search results with links to bait pages that will take users to malicious websites that will download malware to a computer. Spammers reach higher in search rankings by creating link farms that drive their poisoned pages further up search results. People want to be able to trust that what they search for in Google, Bing or Yahoo is safe to click on. Users are not conditioned to think that search results could be harmful to the health of their computers. The other leading attack vectors on the Web all pale in comparison to SEP, with malvertising, email, porn and social networking all 10% of malware delivery.

Today Zynamics, a company that makes security analysis tools, announced that it has been acquired by Google. Zynamics specializes in tools for reverse engineering binary executables - in other words, analyzing software for which no source code is available.

Zynamics is probably best known for BinDiff, a tool for sniffing out the differences between different executable files. It's used by third-party security researchers figure out what vulnerabilities were fixed after a piece of software receives a security patch. However, Thomas Ptacek of Matasano Security speculates on Hacker News that Google acquired the company either for its VxClass product or purely as a talent acquisition. Judging by the statement a Google spokesperson gave TechCrunch, it's likely both.

As a follow-up to our article "What You Need to Know About Malvertising:" Dasient saw a spike in the number of websites hosting malware in Q2 of this year, according to the security-as-a-service company's Q2 Malware Report. According to Dasient, over 1.3 million web sites host malware - more than twice as many as the company found in Q2. Also, malvertising campaigns tend to start on weekends, javascript based attacks are on the rise and ASP pages are increasingly targeted.

On September 14, 2009 New York Times readers were automatically redirected to a site hosting malmare thanks to an ad containing malicious code. On July 15 2010, TweetMeme was the victim of a similar attack and began sending its users to a "scareware" site. These are just two examples of "malvertising," one of the fastest growing security threats on the web. It's particularly scary because potentially any site with advertising could be a target, and users don't even have to click the ads to trigger malware. Use a Mac? You could still fall victim to phishing scams perpetuated by malvertisers. Scary stuff. So what do you need to know?

Microsoft is taking aim at malvertising in an effort to curb the phenomenon. The Redmond company filed five civil law suits in King County Superior Court this morning after finding that a number of online advertisers were delivering malicious code to users. In the past ReadWriteWeb has covered a number of malvertising scams including the Facebook Fan Check virus' scareware scam. As was the case with Fan Check, the 5 companies are being accused of mimicking Windows security updates and tricking users into running fake programs.