Most malicious sites behind spam Search Engine Optimization (SEO) poisoning attacks lead to fake antivirus pages. The malicious sites rely on social engineering, tricking users into thinking their computer is infected and require user interaction to execute and install the malicious file, which is disguised as an anti-virus program.
Well hidden exploits
Mike reported a 300 percent increase of Java exploits last month. These new pages are very similar to what we saw before. A malicious JAR file is launched automatically through a Java ActiveX control vulnerability on Internet Explorer, or through the Java Quick Starter, which is installed silently on Firefox with a recent Java Plugin update. The malicious JAR files are not flagged by most antivirus vendors.
Like all spam SEO, the attack starts with legitimate sites being hacked. New pages are added to target popular search terms, in order to appear in the first few pages of a Google search. When a user clicks on spam SEO links, he actually gets redirected to a different URL such as hxxp://www.hutriken.com/nvu_y/hqpa_b_.php. This page checks to determine if the browser supports Java, and if so, sends the following form with automatically:
If the user, or the security tool, fails at any stage to have the appropriate prerequisites (lacking certain browser capabilities, multiple requests to same page, etc.), it gets redirected to http://google.com/.
The exploit uses a heap spray technique via ActionScript. We've posted an extended analysis of this type of exploit back in December. Like the Java exploit, no user interaction is needed for the exploit to run.