The constant stream of Ultraseek redirects to malware

I’ve been tracking a steadily increasing amount of redirects, often from legitimate .gov, .edu or major corporations.

The cause of these redirects are, in many cases, a result of configurations of Ultraseek/Autonomy/Verity search software (Ultraseek, Verity and Autonomy are all the same company).   Most, if not all, enterprise search redirects I’ve seeing now are related to Ultraseek.

For example, we see that the Coca Cola Credit Union is currently redirecting to malware. 

An example string is as follows:

http://search.creditunion.coca-cola.com/creditunion/cs.html?url=//marker2009 com%2Fin.php%3F%26n%3D1131%26t

(The link is slightly munged for safety).

Here’s that same redirect that’s safe.

Going up a notch, we see the tell-tale Ultraseek search engine.