[News] Semalt, known to be an SEO tool, was found using Soundfrost malware to hijack hundreds of thousands of computers, organising massive spambot in the last 30 days. Semalt bots have attempted to spam 32% of all websites on its service. 

According to Info Security, Semalt is pushing out referrer spam, which belongs to a niche within the spamming ecosystem. In Google’s search algorithm, the more links that point to a website, the further up in the search results it will be. In other words, a, dog grooming page that has 100 links pointing to it from other sites will be presented above competing dog grooming sites that may have just one or two of these referral links. Semalt is essentially creating bogus referral links to fool Google’s algorithm into thinking a site is more popular than it actually is.

The perpetrators create the phony links to a certain URL by abusing publicly-available access logs. Typically they use crawl bots to locate vulnerable websites, often accessing hundreds of thousands of websites in bulk, and then they send out requests from there with a synthetically-generated ‘referrer’ header. Each of these headers contains the website URL the perpetrators are trying to boost.

All such requests are automatically recorded in access logs, creating an HTML referrer link. These links are then crawled by search engines. Because of an unusual ability to execute JavaScript, Semalt activity actually appears in Google Analytics reports as being ‘human’ traffic. This process works well until Google or another search engine figures out that it’s a scam—thus impacting unsuspecting websites that have been hijacked.

These SEO leeches damage websites by downgrading search engine result pages to complete blacklisting and removal. This type of action could go unnoticed by many website owners. Semalt is not running a regular crawler to uncover vulnerable websites, but appears to use a botnet generated by malware hidden in a utility called Soundfrost. This botnet provides Semalt with the scale it needs to operate and it helps its bots avoid rudimentary security practices such as IP blacklisting and rate-limiting.

Retrieved from: Info Security

Image credit: Joe Beaulaurier