What a web promoter learns from a Trojan site infection

I suddenly noted that the visits to a website of mine had multiplied 5 fold in a day. After feeling some satisfaction on the success of my promotion efforts, I noticed something unusual: the requested subjects had nothing to do with my main theme, but with foods and drinks. And when you visited one of those pages, you were redirected to a malware site.

I entered my sites by FTP and I found many offending pages that some bot had placed there. And when I say many, I mean about 5000 files in dozens of directories in several sites accross 3 servers… Many hours were needed to clean up.

Of course I had to clean my PC from malware, apparently coming from a mailing software that I had downloaded 2 weeks ago.

The offending pages were quite complex, and all leaded to an exploit page that showed an infection scene, with strong advice to buy their antivirus, at adware-spyware-removal.co.cc. I am not sure if that page succeeded in loading malicious code into my Windows. They can have one inocent-looking page to enter thru a hole in your Windows, and another to sell you antivirus. In any case, I do not advice to buy anything from them. It is like paying ransom for your computer, and also giving the offenders much broader access to your system.

web promoter with Trojan

I saved a few of the offending files for exam. They use obfuscated Javascript to redirect traffic to their site. Something like:

script language=”javascript”>function not(kf,cybf){if…

I cleaned 3 pages (no javascript, nofollow in all links) and posted them in my site, but I kept having problems. The amount of links in them was too much, they got indexed and diverted my site from its theme.

The bot used my own material to create its pages, in order to camouflage it among the existing pages. The pages link to other infected pages in my servers and others, and lead to the main site that sells their own spyware removing product.

The bot-made pages are made in such a way that Search Engine spiders can index them well, reinforcing the traffic to their site. Thus, pages in my server bring new traffic from the SEs. If I was interested in those keywords, I only had to clean the pages and add my own links.

Google noted the infection in one of the sites, and posted the infamous “This site may harm your computer” note before the links. Other infected sites were indexed with no warning. I assume Google did not reach the end of the pages, where the malicious code is inserted.

Another advantage (?) of the infection are the incoming links from other infected sites, pointing to pages in my site. Since most webmasters willl not notice the problem for weeks or months, I will get some additional PageRank benefit.

The pages have a lot of text, combinatorially mixed phrases and keywords, keywords in the filenames, many links and lots of H1, li and Strong tags. Very similar to pages made with some page generators in the market, including mine… So, I expect to get some intelligence out of this event.

The funny thing is that I had tried for years to obtain such good, fast links and rankings for my pages. And a small bot achieves it with my own resources and without my knowing.

Hey, want to get your computer infected?