Has anyone else noticed that Bing has lots of Domain Generation Algorithm (DGA) links in the search results? it isn’t on every search, just some searches. But the same search result at Google doesn’t return the DGA links.
In August we had an alert at work for a user going to a DGA address. The user got it from a Bing search. Repeating the user’s search returned 12 DGA links in the first two pages of results. Using the default of 10 results per page. The same search on Google returned 0 out of 50.
I contacted Bing and the fixed it. But searching the same phrase, a couple of months later, returns 4 out of 50 on Bing. Yet Google is still 0 out of 50. I set both search engines to report 50 results per page.
When this was passed to me in August for Threat Intelligence reasons, because it’s my employer’s name and a vendor, the question was “who is this targeted at”. I loaded up a test system via Threat Grid going to bing.com, and interacted with the search results. Nothing went to malware, the pcap from that session didn’t show anything looking like malware calls. The report didn’t show anything about downloading software. All the links went to a collection of “adult” style dating sites. The links would stop working after they were clicked on, and visited.
I never did figure out if the target was my employer, the vendor, the customers or if it was just a target of opportunity thing. But I think it was the customer base. Because of what words had to be in the search to trigger the DGA results. The keyword that triggered it was both Company Names. They both had to be there. Searching one or the other didn’t return the results.
I know part that some malware has become research aware hides from it based on IP address and if it’s a VM or not. So that could have prevented malware downloads. I know the user that originally triggered the alert didn’t have any thing downloaded to their box either.