• by Laurie Sullivan  @lauriesullivan, April 28, 2010

Online security experts believe Google's quest to remain transparent could work against it. Using a combination of Google Trends, search engine optimization (SEO) and malicious ads, virus distribution networks thrive.

Fake antivirus programs account for 15% of all the malware Google sees on the Web, and 50% of all malware delivered via ads -- up fivefold compared with a year ago, according to a new report from the Mountain View, Calif. search engine.

The paper, presented at the Usenix Workshop on Large-Scale Exploits and Emergent Threats Tuesday in San Jose, Calif., analyzed 240 million Web pages between January 2009 and February 2010. During that time, Google detected more than 11,000 domains involved in fake antivirus operations.

Google researchers who presented the paper -- Moheeb Abu Rajab, Lucas Ballard, Panayiotis Mavrommatis, Niels Provos, and Xin Zhao -- discovered that fake antivirus domains have more landing domains that funnel traffic than other infection domains, and distributors rely heavily on ads and domains with pages that contain trending keywords.

Don DeBolt, director of threat research for CA's Internet security business unit, points to Google's transparency in Google Trends and the frequency with which it releases search data as one of the main culprits for the rise of blackhat search engine optimization (SEO) and malware.

Hackers now have access to near-real-time data. "They have perfected the use of Google trend data to build viable targets, because the content indexed is driven from popular searches at any moment in time," he says. "In the past we saw mass keyword SEO, where static content was placed on compromised Web sites and later indexed by Google, but now that content has grown more dynamic."

Malware authors have built code that queries Google trend data and pulls down content related to trends, which in turn is indexed by Google's engine, too. CA plans to release similar research in September that compares when the event happens, when topic keywords begin to trend online and when the first "poison search terms" get indexed.

DeBolt says related search keyword terms as queries that are typed into search boxes also present fodder for hackers.

One test run by Google researchers looks at URLs from Google ads. The group screened the pipeline to find and block malicious ads to prevent them from being served to people searching on the engine. While running the test, researchers encountered ads from non-Google networks while processing other Web pages from Google's index.

"Unsurprisingly, as the popularity of fake antivirus has increased, so has the number of times fake antivirus domains are delivered by ad networks," researchers wrote.

Fake antivirus is a quickly growing attack trend. The domains often target high-profile sites, such as Facebook, The New York Times, and Twitter. DeBolt believes.

"We're likely to see to see new distribution tactics for more complicated threats, and the scale in which these threats can be distributed through blackhat SEO is tremendous," DeBolt says.

DeBolt says the fake viruses get distributed through localization technology built into Google. Hackers use this technology to cast a wider net, taking advantage to affect as many potential victims as possible.