Many of the blogs have been compromised by having the online photo gallery software Coppermine hacked, according to Cyveillance.
Rogue blog publishing software is installed, which makes posts containing no text content. Instead, it posts images found in Google's Images search, which have been found using specific search terms targeted by the criminals. The images are enhanced with ALT and TITLE HTML tags containing the same search terms, in a bid to push the pages further up the Google search rankings.
The rogue blogs are designed to turn up in the Google search results for highly targeted four- or five-word searches, to stop them having to compete with more popular, simple searches.
The blogs redirect visitors that have found them via a Google search, taking them to Chinese domains that attempt to install fake anti-virus software on victims' computers. "The path from the infected websites to the fake anti-virus software drop sites is swift and likely not noticed by the user", Cyveillance said. The sites for the fake anti-virus software were all registered with Chinese registrar TodayNIC.com.
The search results only show up in Google, and are not visible in any other search engines, said Cyveillance.
"It is possible that the attackers took advantage of the ability to submit .xml sitemaps in Google to stimulate the search engine to visit and index the rogue blogs’ postings", said Cyveillance. "A suitable .xml file was found on the sites examined to support this technique."
eSoft, investigating the matter further, found over 800 000 active URLs acting as rogue blog middleman sites.