32

I'm looking at some malware PCAPs, e.g. http://malware-traffic-analysis.net/2014/05/27/index.html .

One of the things I've been seeing frequently is requests to alexa top million sites (e.g. yandex, google, yahoo). I've always considered this to be a connection checking technique.

However, recently I've been thinking about other information you can glean from that request (e.g. a rough geoip feature through DNS / page redirection).

I am looking for links on the subject and thoughts about this technique in common/uncommon malware.

Fred Concklin
  • 821
  • 8
  • 15

4 Answers4

63

Most likely, it's just trying to check if there's a working internet connection.

The malware authors assume that:

  • Google (or other Alexa Top-1M sites) will be up 99.999% of the time.
  • Traffic going to common productivity sites like Google will not be flagged as unusual.
  • You (or your network administrator) will be unlikely to have blocked these sites at the gateway.

As such, Google is a good candidate.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
13

Simple connection testing is one reason why malware might connect to Google, Yahoo and other search engines, but I would like to present a different explanation.

One frequent application for botnets is search engine spam optimization.

As you might notice, the result page of Google (and most other search engines) doesn't lead to the results directly, but to redirect-links instead. This allows them to check which results their visitors actually visit. Search engines use this information as part of their ranking algorithms. When many users search for a specific phrase and then all pick a specific result which is not the first one, that result must obviously be more relevant than the number one result and should be moved up. So simulating lots of search requests for a certain phrase and then picking a specific website from the results can result in that page getting ranked higher for that phrase.

Also, the auto-complete feature of many search engines is based on what other users search for which makes it another interesting target for search engine spam. When I would have a million bots search malware behavior stackexchange.com, anyone else starting to type malware behavi into google would then get the phrase above as auto-complete suggestion. Searching for malware behavior returns all kinds of different websites, while clicking on that auto-complete result would mostly return results from this website. That would really increase our traffic.

Philipp
  • 48,867
  • 8
  • 127
  • 157
  • 2
    This type of "SEO" rarely works anymore, and when it does, it's usually caught and corrected very quickly. Incidentally, simply typing a domain name doesn't restrict results to that domain, and your query returns results from many other domains. It would have to be "malware behavior **site:stackexchange.com**", and I don't think that will come up in an autocomplete. – Aaronaught Sep 25 '14 at 05:15
6

I'm just guessing here. But it would provide an alternative solution to the problem of name resolution to use a search engine instead of DNS to find a CnC server or to poll for updates and campaigns.

It's not clear from the web page if it were simply hitting the front page or running a query - and I don't have tools here to read the pcap files myself. Even if thats not the reason on this case, one can't discount it as an option for malware to use.

symcbean
  • 18,278
  • 39
  • 73
  • That would make it easy for google to block the CnC server (yes, they would). It could even be blocked inadvertently (due to normal pagerank changes). It's an interesting idea, though. – Ángel Sep 24 '14 at 12:50
2

I remember a case (but not the name of the case) where malware would periodically send blank http requests to big and reliable websites to get a reliable UTC, the malware was designed with a timed bomb on it, set to Denial of Service a specified site at a certain date/time.

miethpo
  • 41
  • 2