What is Gootkit & How is it Poisoning Search?

Nathan |

Just when you thought you could browse the internet in peace, Gootkit, the information-stealing Trojan, is once again attacking computers.

After a brief hiatus, Gootkit is back with the ability to deploy an even wider range of malware than before. What you want to know is what Gootkit is exactly, and how to spot it to minimise your risk. Let’s break it down.

What is Gootkit?

Gootkit is Java-script based malware that’s been around for more than half a decade, but has recently innovated itself to present more threats to users online. The Gootkit malware family is most notable for banking credential theft, but performs a range of malicious activities, including keystroke capturing, video recording, email and password theft and the ability to inject malicious scripts.


The expanded malware delivery system, known as “Gootloader” has made its presence known again in campaigns targeting Germany, France, the U.S. and South Korea.


How do cybercriminals trick users into downloading this malware?

In the most simple terms, the criminals trick Google into treating hacked websites as safe and trustworthy ones. Google then presents its users with matches to the search queries, which seem relevant on the surface but are in fact a hacked server.


The process is pretty detailed, but we’ve outlined some of the key points here:


  1. The team of criminals hack into hundreds of innocent web servers, where they plant key phrases that search engines would associate with expertise in industries such as real estate, medicine, employment law, etc.
  2. The goal is that, when users search for these phrases, the hacked results show up and are clicked through to.
  3. The server then sends out a fraudulent web page that looks exactly like a message board or forum.
  4. On this “message board” is a fake message from a “user” asking the same question initially asked by the victim, and a posed response from a “moderator”. This response contains a download link to further information on the subject.
  5. The user clicks this link and inadvertently downloads malware onto their system.


How many hacked websites do the criminals possess?

We’re not sure exactly how many hacked websites Gootkit criminals have in their possession, but research suggests that they hold a vast number of high traffic sites.


Many of the search engine results that populate have no obvious connection to the original query. For example, researchers found one case where a user searching for real estate advice was presented with information about a Canada-based medical practice.


In order to make sure they’re targeting victims from the right location, the cybercriminals rewrite website code on-the-go. Any visitor that then falls within the desired area is shown the fake forum discussion on their topic of interest, and the infection process begins.


Robust IT security for your business

This search poisoning malware attacks both websites with lots of traffic, and users making simple searches on Google. Beyond keeping an eye out for website results that look too good to be true, there is anti-virus software available that can detect malware before it becomes dangerous.

The IT Department is your ongoing IT support system without the overheads. To discuss our security solutions, give us a call on 1300 10 10 40.