Google’s search rankings are being stuffed with links to fake security software that purports to remove Conficker, a widespread worm that’s currently the Internet’s number one security threat, but doesn’t.
Certain search terms will bring up a host of Web pages that could either infect a PC with malicious software or try to sell a dodgy security program, said Rik Ferguson, senior security advisor for the vendor Trend Micro.
Ferguson said he’s noticed an uptick in these kinds of sites over the last day or so as other legitimate software tools have been released that can detect Conficker, which has infected between 3 million and 10 million PCs worldwide.
For example, a search for “Nmap Conficker” will bring up malicious results, Ferguson said. Nmap is an open-source networking tool that has been upgraded to detect Conficker infections. Ferguson said he was surprised at how quickly the scammers began manipulating Google with those search terms, as Nmap was just recently upgraded.
Scammers game Google’s search engine by creating Web sites full of search terms, Fergusons said. Another tactic is spamming high-traffic Web sites that lead back to their malicious site in order to drive their Web site up the search ranks.
Google has been battling those who try to manipulate its search engine, but the scammers sometimes win out for a while. Ferguson, who posted screen shots of searches he did late Monday night, said he has contacted Google about his findings.
The fake security software Web sites will ask a user to download a file that scans a machine for malware. The software usually tells the user the PC has malicious software even if it isn’t infected, Ferguson said. The software will then badger the user to buy the questionable security program.
“Once you’ve downloaded it, it’s extremely difficult to get that stuff off your machine,” Ferguson said.
Finnish security vendor F-Secure has also seen a number of new domain registrations for Web sites selling software that supposedly removes Conficker, according to a company blog.
One of those programs, called MalwareRemoval Bot, demands US$39.95 to remove malware. But it doesn’t work.
“It does not remove Conficker.C,” wrote Patrik Runald, security response manager for F-Secure. “It didn’t do a thing.”
Conficker is a difficult-to-remove worm that has vexed the security community. Versions of the worm spread by taking advantage of a vulnerability in the Microsoft Windows Server service, through infected removable media or brute-forcing weak passwords.
The security community is bracing itself for Wednesday, when the Conficker.C variant will become active. The worm is programmed with an algorithm that will generate random domain names. If one of those domain names is live, the worm will go to the Web site and try to download further instructions.
Conficker.C is programmed to generate 50,000 domain names a day and will then try to access 500 of those names per day, according to the security company Websense.
Those controlling Conficker have yet to use it for malicious purposes, but the vast number of machines that are infected means the botnet could be capable of devastating denial-of-sevice attacks, spam campaigns or widespread data theft.
Microsoft is offering a $250,000 reward for information leading to the arrest and conviction of Conficker’s creators.