Ok, my continuing adventures with the referer spam has lead to an interesting discovery - I think criminals are now using referer spam to spread viruses. I think they are doing this in order to 'own' more computers for their botnets.

Today, I was browsing through the latest referer spam links on my blog. My blog no longer displays referer links on the site. (Thank you b2evolution!) This has slowed down the flow of referer spam a lot, but I do still get occaisional spams. Whenever I get one of these spams, if I'm not sure what it is, I go to the site. I got a few of these referer spam links today that I wasn't sure were referer spam, so I visited the site. As soon as I loaded the page, I got a box from Firefox asking for permission to download a WMF (Windows MetaFile). This is a very unusual thing to see on a web site. 99.9% of all images on web sites are either GIF or JPG format files. A WMF is a Windows-only image format. It is also the source of a recent exploit on Windows. This exploit can be used to secretly run programs on the person's machine without the person knowing it. This means that if someone were to load this WMF, it would install a program that would allow the criminal to secretly take control of your computer. You would NEVER even know that this is happening! If this exploit works, you've just 'donated' your computer and your Internet connection to this criminals own uses. He can basically use your computer to do anything he wants - send emails, perform DDOS on other sites. Anything. It's a scary thought.

Fortunately, Firefox does not display these images by default and I did not fall victim to this. I also have my computer properly patched to prevent this exploit. I am sure that there are millions of computers out there that have not been patched to fix this exploit, however. this means that there are millions of pontential 'free' computers for all these criminals to exploit. The sites that were hosting this WMF were clearly not legitimate sites. They all contained a seemingly random collection of words (no doubt in an attempt to attract higher placement on search engines). The domain names were also named to attract teens. The names had names very similar to MySpace.com (a very popular site with teens). These names could easily be confused for the real MySpace.com site causing the unsuspecting teen to fall victim to this exploit and add his computer to the criminal's botnet. This is downright scary.

Am I positive that this was an intentional attempt to spread this WMF exploit? No. However, based on the evidence, I don't see what else it could be.