Google Hot Search topics are turning out to be a useful tool for security researchers at SonicWall who are trying to find URLs for malicious Web sites as well as signatures to help block the malware they contain.
Under a month-old trial project that may become part of the routine malware search, the malicious code research team regularly finds infected sites among the top 100 returned by Google's real-time search engine for those Hot Search topics, says Nick Bilogorskiy, the manager of the team.
On Friday, he found search returns for "Jordan Hicks announcement" (about a high-school football player) that led to malicious sites, and he expected that soon there would be one for "bank of America website down" (because the bank's Web site was out of commission most of the day), both of which were then on the Hot Searches list.
The project tracks those Google Search keywords that are trending, captures the top 100 or so results and runs an algorithm on them seeking suspicious sites. Bilogorskiy checks them manually to find out if the suspicious sites actually lead to malware. "We get some false positives," he says.
Most of the malware he encounters redirect users to fake antivirus sites that pretend to discover malware on the user's computer and offers to sell antivirus software that will clean it up.
In most cases, Bilogorskiy says, the users are redirected only if they click on the Google Search link to the site. If the URL for the site is typed in, there is no redirection to the malware site, he says.
SonicWall sells its own antivirus and antimalware software, and after encountering sites that spread it the malware team finds signatures to block the malware itself and will also block access to those URLs, he says.
Bilogorskiy writes about infected sites in his Twitter account (belogor), but says he doesn't post the URLs in his tweets so his curious followers don't go there and get their computers infected.
He says part of the project is following up on the infected sites returned by Hot Search to see how long they remain among the top 100. Google cleans up the list itself, but often they linger for several hours after Bilogorskiy finds them. "I'll see 18 malware results in the top 100 and run it again three hours later and it would be 10, and run I again and there are no malware results," he says.
In one case, the term "buy nexus one" returned malware sites for two weeks, he says.
He came up with the idea to use Hot Search as a detection tool in November. He had noted that spammers often jump on news events to lure victims who are so interested in the news event that they click on links that lead to infected sites. He hypothesized that criminals might also piggyback on sites ranking high on Hot Search to draw more traffic to their infected sites. It turns out he was right.
Bilogorskiy speculates that most victims who fall for the antivirus scams are naïve about the scams in general because they're pretty easy to detect. "You know it when you hit it that it's malicious. It's not hiding very well," he says.