Semalt Hijacks Thousands of PCs for Massive Botnet

The software known as Semalt, which claims to be an ‘SEO tool,’ย has been found to be using Soundfrost malware to hijack hundreds of thousands of computers. In the last 30 days, it has organizedย a huge spambot that is originating from more than 290,000 different IP addresses around the globe, with a concentration in South America.
โ€œIts unscrupulous behavior already having caused concern to many website owners, in what appears to be a large-scale, referrer spam campaign, Semalt is most commonly accused of ignoring ‘robots.txt’ directives and overbearing servers with a slew of suspicious-looking requests,โ€ said Incapsula researcher Ofer Gayer, in a blog.
Perhaps unsurprisingly given the level of infection, its spamming reach is quite prodigious already: In all, Incapsula found that Semalt bots have attempted to spam 32% of all websites on its service.
Semalt is pushing out referrer spam, which belongs to a niche within the spamming ecosystem. In Googleโ€™s search algorithm, the more links that point to a website, the further up in the search results it will be. In other words, a,ย dog grooming page that has 100 links pointing to it from other sites will be presented above competing dog grooming sites that may have just one or two of these referral links.
Semalt is essentially creating bogus referral links to fool Googleโ€™s algorithm into thinking a site is more popular than it actually is.
โ€œSomewhere between Facebook clickjacking campaigns and 419 scams, referrer spam lays a scheme to improve search engine rankings by relying on bad practices adopted by naรฏve, unsuspecting webmasters,โ€ explained Gayer.
The perpetrators create the phony links to a certain URL by abusing publicly-available access logs. Typically they use crawl bots to locate vulnerable websites, often accessing hundreds of thousands of websites in bulk, and then they send out requests from there with a synthetically-generated โ€˜referrerโ€™ header. Each of these headers contains the website URL the perpetrators are trying to boost.
All such requests are automatically recorded in access logs, creating an HTML referrer link. These links are then crawled by search engines. Because of an unusual ability to execute JavaScript, Semalt activity actually appears in Google Analytics reports as being ‘human’ย traffic.
This process works well until Google or another search engine figures out that itโ€™s a scamโ€”thus impacting unsuspecting websites that have been hijacked.
โ€œThe existence of such SEO leeches can cause long-term SEO damage to websites, ranging from demotion in search engine result pages (SERP) to complete SERP blacklisting and removal,โ€ said Gayer. โ€œTechnically speaking, this activity does not pose a security threat, nor does it have any visible side effects. As a result, referrer spam may go unnoticed by many website owners.โ€
Also, in Semaltโ€™s case, it isnโ€™t running a regular crawler to uncover vulnerable websites; instead, it appears to use a botnet generated by malware hidden in a utility called Soundfrost and includes machines on over 290,000 different IP addresses around the world. Nearly 60 percent of those machines are located in Brazil.โ€”which could be behind several other malicious activities.
โ€œBeyond providing Semalt with the scale it needs to operate, this botnet also helps Semaltโ€™s bots avoid rudimentary security practices such as IP blacklisting and rate-limiting,โ€ Gayer said. โ€œThis, coupled with its ability to overcome challenge-based bot detection mechanisms, makes Semaltโ€™s shady activity that much more concerning.โ€
He added, โ€œWe hope that the combined efforts of the internet community will help put an end to Semaltโ€™s illicit activity, and help dissuade other services from using this and similar unscrupulous tactics in their business practices.โ€
Abhishek Kumar Jha
Abhishek Kumar Jha
Knowledge is Power

Subscribe to our newsletter

To be updated with all the latest news

Read More

Suggested Post