Malicious links detected on Microsoft Security Essentials searches

Just a few days after Microsoft launched Security Essentials, cybercriminals are hitting search engine results with malicious links.

Websense Security Labs ThreatSeeker Network discovered that search engine results for information on how to download Microsoft's recently released Security Essentials tool are now returning links to websites that serve rogue anti-virus.

When a user clicks on a compromised website, so long as they have been referred by a search engine, they are redirected to malicious websites with domain names such as computer-scanner21 and computervirusscanner31.

If a user downloads the application, a file with extension .tif is downloaded in the 'program files\TS' directory as TSC.exe and system.dat (the .tif file is decrypted/decompressed and split). The payload then executes 'tsc.exe -dltest', that apparently connects to a NASA website to check internet connectivity.

Finally, 'tsc.exe' is executed with no parameters, and the rogue anti-virus starts while the original file is deleted in the background.

The Websense ThreatSeeker Network has been monitoring search engine optimisation poisoning of search terms related to Microsoft Security Essentials. It claimed that the malware authors set up a trial run of optimisation poisoning techniques before converting the redirects to deliver rogue applications.

Carl Leonard, threat research manager at Websense, said: "One of the rogue links is directly under a MSDN blog entry discussing Microsoft Security Essentials. The rogue redirects are hosted on a variety of legitimate websites, which have been compromised including that of the British Travel Health Association. When a user is referred to the site by a search engine, they are instead redirected to malicious websites."

Patrick' Runald, security research manager at Websense, claimed that he was not really surprised about how quickly this had appeared. Runald said: "It is the same with Google Wave, it is an action of keeping track of trending topics and using different keywords and manipulating search engine optimisation (SEO).

"The cybercriminals have different sites under their control and in the background they have a process that monitors Twitter and Google trending topics that allows their sites to climb up the search results. This is automated so there is not much for them to do to make it happen."

Commenting on how long it will be before malicious files are detected that are named 'Microsoft Security Essentials', Runald claimed that he was confident that we will see a malicious version of it.

"Cybercriminals do not use the Microsoft Security Essentials name for the download and haven't copied the name either because they are afraid of copying the nae because they know that Microsoft will go after them," said Runald.