Searching for a hot news topic or buzzword can already lead an unsuspecting person to harmful malware. Recent articles are full of warnings about malware hidden in links that are supposedly about the World Cup or the Icelandic Volcano. Estimates have suggested that about 14 percent of traditional searches for trending news go to sites hosting malware.

As real-time search becomes more important, the problem of malware-related results could become much worse, according to a talk given yesterday by Dan Hubbard, CTO of Websense, at the Cloud Security Alliance Summit, which took place at the Black Hat security conference in Las Vegas. The event brought together speakers from government, industry, academia, and the underground. Hubbard outlined several ways that real-time search results are easy to poison.

Much of the problem stems from the nature of information provided in real time, Hubbard says. It's noisy, spammy, and not authoritative. So search engines have a difficult task ahead determining what links can be trusted.

The results are also easy to manipulate. Hubbard experimented with searches related to the recent Boston marathon. He found that he could get posts to the top of real-time search engine results by posting in anticipation of events. For example, he posted information about who had won before there was a winner, garnering a top spot on real-time results pages. He found that he could trick even Google by introducing typos that other users might be likely to make (such as "Botson" marathon). And, by posting images along with text, Hubbard found that he was able to rocket his posts to the top of results pages.

Hubbard says spammers could use social graphs to manipulate real-time search results as well. A botnet, for example, could create large numbers of interconnected Twitter accounts, creating a source of information that could seem authoritative. Hubbard also pointed to recent reports of spammers taking over the Twitter accounts of well-known users.

There may be big opportunities for spammers as location gets factored into the ranking of real-time results. Current location services trust where users say they are, he says. Location is also relatively easy to spoof. Spammers could add their links to real-time search ranks by seeming, for example, to tweet about the Icelandic volcano from Iceland, or about the Boston marathon from the finish line.

Hubbard plans to continue his investigation by looking at how spammers might be able to influence Facebook streams and search, and what they might be able to do with the popular location-based social network Foursquare.

Sites like Amazon offer affiliate programs that pay users for sending them new customers. And now, malware authors, always quick to adopt tactics that work elsewhere, have developed their own affiliate program, which was described in a talk given today at the Black Hat DC computer security conference in Washington, DC.

Kevin Stevens, an analyst at Atlanta-based security consulting company SecureWorks, says sites with names like "Earnings4U" offer to pay users for each file they can install on someone else's PC; the practice is called "pay per install." Stevens found sites offering rates ranging from $180 per 1,000 installs on PCs based in the U.S. to $6 per 1,000 installs on PCs based in Asian countries.

As he researched the practice, Stevens says he discovered a number of companies engaged in pay per install. These companies periodically change their names to dodge the authorities. He also found forums where users shared tips for making more money, and a variety of sophisticated tools developed to make it easier for them to install malware. "It's almost like a real, legitimate business," he said.

People who sign up for the affiliate programs often download "malware cocktails" that they then try to distribute as widely as possible. One common technique is to combine the malware with a video and offer it for download on a peer-to-peer file sharing site. Another is to host the malware somewhere on the Web, and use search engine optimization techniques to attract traffic to it.

Stevens outlined several types of software that a malware affiliate can use. "Crypters," for example, are programs that mask malware from antivirus programs. One popular crypter costs about $75 initially, and then $25 to buy fresh pieces of code that keep the malware masked once antivirus programs have begun to recognize the original. Stevens estimates that it's possible to get by for two to three weeks on each such update.

For about $225, a malware affiliate can multiply his earnings by obtaining a Trojan download manager. This program allows him to pump multiple malware cocktails into each infected PC, getting paid for each one on each compromised computer. One Trojan download manager comes with add-ons that allow a user to harvest e-mail addresses from an infected system, which could then be used to send spam or phishing messages.

Stevens estimates that some of the larger companies offering pay-per-install programs are responsible for about 2.8 million malware installs each month.

This weekend a Swiss computer security researcher released an application designed to demonstrated the kind of personal information that a malicious iPhone application could potentially harvest personal from unwary users (pdf). The disclosure came just two weeks after the first truly malicious iPhone worm was released for jailbroken iPhones.

So, are we're on the brink of a mobile malware pandemic?

Not necessarily, says MikkoHypponen, chief research officer for the Internet security company F-Secure, based in Helsinki, Finland. Hypponen has been collecting mobile malware specimens for the past 10 years. His count, so far, is 454 mobile viruses and Trojans since 2004. And, despite many security experts predicting that serious attacks against mobile devices are inevitable, Hypponen has observed the opposite trend. "Instead of getting worse, malware on mobile devices has been slowing down over the past two years," he says.

The main reason, Hypponen suggests, is that most phone platforms exercise more control over the applications they run than desktop computers do. For example, mandatory application signing for the iPhone means that programs can't run without authorization from Apple. Android's open platform doesn't use mandatory signing, but Google has designed a new security model for the operating system to minimize the damage that can be done by a malicious application.

Hypponen also believes that fragmentation in the phone market has hindered malware writers so far: no single mobile operating system dominates the way Windows does on the desktop, so it's hard for virus writers to know where to focus their efforts. Furthermore, he says, far fewer people have the sort of low-level knowledge of specific mobile devices that's needed to create successful malware.

However, Hypponen notes that the malware observed so far requires a user to install something malicious, instead of exploiting a vulnerability in the operating system itself. The real danger, he says, is when malware authors discover ways to attack a mobile device without that level of user participation.

"When that happens," Hypponen says, "everything we know about mobile malware will have changed."