Malware Signatures

  1. Home
  2. Malware Signatures
  3. php.spam-seo.doorway-gen.043


Every now and then we see how hackers use compromised sites in black hat SEO campaigns. Quite often we see how they create whole subsections of spammy or malicious doorways (hundreds or even thousands)
under an umbrella of a legitimate reputable domain name. To rank well, doorways should have unique content. Another reason for having unique content is targeting long tail search requests - if only your page
has a specific combination of keywords, then it will be on the first page of search results for those keywords. Given the volume of searches on major search engines (billions of searches every days) and millions
of doorways accross multiple hacked sites, long tail queries may produce significant traffic for spammers. The question is how a small group of hackers can generate millions of pages with unique conten in a very short time?
The answer is they use doorway generating scripts (doorway generators). Such scripts usually make random requests to google, parse descriptions from top results, mix them randomly and intersperse them
with hotlinked images from image search results for the same queries. Most doorways generators can create new doorways on the fly if some keywords don't have cached spammy pages.
In most cases, doorway scripts are heavily obfuscated.