Comments

You have commented 339 times on Rantburg.

Your Name

Your e-mail (optional)

Website (optional)

	My Original Nic Pic-a-Nic Sorry. Comments have been closed on this article.
Foto

Submit your comments on this article

Science & Technology

Search Google, Click to Massive Malware Attacks?

2007-11-29

A large-scale, coordinated campaign to steer users toward malware-spewing Web sites from Google search results is under way, security researchers said Tuesday.

In the past 30 days, I've wiped and reloaded two of my machines and spent an entire Sunday afternoon cleaning a friend's machine. My opinion is that these bastards should be shot.

Users searching Google with any of hundreds of legitimate phrases -- from the technical "how to cisco router vpn dial in" to the heart-tugging "how to teach a dog to play fetch" -- will see links near the top of the results listings that lead directly to malicious sites hosting a mountain of malware. "This is huge," said Alex Eckelberry, Sunbelt Software's CEO. "So far we've found 27 different domains, each with up to 1,499 [malicious] pages. That's 40,000 possible pages."

Those pages have had their Google ranking boosted by crooked tactics that include "comment spam" and "blog spam," where bots inundate the comment areas of sites with links or mass large numbers of them as bogus blog posts. Attackers may be using bots to plug links into any Web form that requests a URL, added Sunbelt malware researcher Adam Thomas.

There's no evidence that the criminals bought Google search keywords, however, nor that they've compromised legitimate sites. Instead, they've gamed Google's ranking system and registered their own sites. "They get themselves on to Google, then redirect people to their malware pages," said Eckelberry. Most users wouldn't suspect anything's amiss with the rogue results, although the ultra-wary might be suspicious because many of the malicious URLs are just a jumble of characters, with China's .cn top-level domain at their ends.

Once shunted to a malware-hosting site, the user might face a fake codec installation dialog. If the user doesn't bite, the page's IFRAME will get him, said Thomas. "This is what's doing the most damage," he said. "It's loaded with every piece of malware you can think of, including fake toolbars, rogue software and scareware."

One site that Thomas encountered tried to install more than 25 separate pieces of malware, including numerous Trojan horses, a spam bot, a full-blown rootkit, and a pair of password stealers. All the malicious code pitched at users is well-known to security vendors, and can only exploit PCs that aren't up-to-date on their patches. "I ran into one, and it hosed my VM [virtual machine]," said Eckelberry. "Completely hosed it."

While Eckelberry called the scam "impressive" in scope, Thomas echoed his boss in describing the attack's magnitude. "It's like they've colored any possible search term you can think of," said Thomas. "There are tens of thousands of [malicious] pages out there."

Sunbelt's company blog sports screen shots of several Google search results lists, with malware-infecting sites identified, as well as images of the bogus codec installation dialogs and the code of one of the malicious IFRAMEs.

Posted by:Fred

#24 There's no justifiable reason why the average user should have to put up with predatory bullshit like this.

That's why I use a mac.

Posted by: Nimble Spemble 2007-11-29 21:51

#23 Z: I run Ad-Aware twice a day.

I'm referring to Symantec's or McAfee's software. Note that you can run a virus scan (and clean) from Trend Micro's website. Just google "housecall".

Posted by: Zhang Fei 2007-11-29 20:55

#22 I run Ad-Aware twice a day. My older OS is just more vulnerable to this crap. There's no justifiable reason why the average user should have to put up with predatory bullshit like this.

Posted by: Zenster 2007-11-29 18:19

#21 Z: I hit this sort of crap after using a top-of-the-page volumetric recipe conversion site. These maggots need to be hauled out and shot.

Do you run anti-virus software? I do, and I've never had a serious problem.

Posted by: Zhang Fei 2007-11-29 16:26

#20 I wonder if they are hijacking the links. I had a worm some time back and when I would click on any search engine link, it would hijack me to a spider. I had to click on the cached version to get where I wanted to go.

Posted by: Whomong Guelph4611 2007-11-29 13:31

#19 Simple solution: when Google's spiders crawl a site they chosulb e looking for malware as well, and ANY link that contains malware is dumped from thier database of searchable links.

Posted by: OldSpook 2007-11-29 13:26

#18 Which is why Zenster's fervent wishes for DC control are doomed to be frustrated for a long while.

Yet one more reason why our politicians and the Chinese need to be separated using a crowbar. Much like Islam, China has so little to offer our world in comparison to the immense damage done wherever it goes. Just like the Saudis, it is only the Politburo's very selective redistribution to our politicians of the massive Western wealth being poured into their coffers that lends them any immunity. In the absence of such venal politicians, this would normally represent an intolerable interference in another countriy's political system. Without China purchasing so many Western decision-makers, more than a few militaries would be far more keen on taking down the communist Chinese.

Posted by: Zenster 2007-11-29 12:43

#17 I had to clean my disk last week too. Moral of the story - don't use Google.

Posted by: Whomong Guelph4611 2007-11-29 12:21

#16 many of the malicious URLs are just a jumble of characters, with China's .cn top-level domain at their ends.

lotp: This is not coincidental.

They have the Great Firewall of China, they can more or less control what their people are allowed to see, but they're just helpless little anarchists if someone goes around planting viruses in western computers...

Posted by: Abdominal Snowman 2007-11-29 09:49

#15 Here on Guam, I've noticed that computer stations remain linked/tied to external sources despite being logged off andor rebooted.

What we need to do is set up linux livecd distributions that will use a home directory on a partition on a hard drive but run everything else from the CD/DVD.

Posted by: Abdominal Snowman 2007-11-29 09:45

#14 Which is why Zenster's fervent wishes for DC control are doomed to be frustrated for a long while.

You can, of course, set your browser security settings very high to avoid the malware installation. Unfortunately, it will also prevent many sites from working at all for you.

Posted by: lotp 2007-11-29 07:53

#13 many of the malicious URLs are just a jumble of characters, with China's .cn top-level domain at their ends.

This is not coincidental.

Posted by: lotp 2007-11-29 07:52

#12 > Firefox + Noscript

I concur

Posted by: Bright Pebbles 2007-11-29 06:56

#11 Ok, I'll run Ad-Aware and Spybot, and then clean out my cookies. Norton ran last night. Anything else I should do?

Posted by: trailing wife 2007-11-29 06:23

#10 Firefox + Noscript, running on Ubuntu Linux...

Posted by: john frum 2007-11-29 06:01

#9 Your FELLOW NUTTER is seriously mistaken, Joe.

Posted by: weresheep 2007-11-29 04:20

#8 Here on Guam, I've noticed that computer stations remain linked/tied to external sources despite being logged off andor rebooted. AS A FELLOW NETTER ONCE REMARKED, 'TIS "INFORMATION CONTROL OF THE SHEEPLE. THE WOT IS WAR FOR CONTROL OF SHEEP[SHEEP'S WAR]"???

Posted by: JosephMendiola 2007-11-29 03:15

#7 That is why I use FireFox, and update it regularly.

Posted by: Shieldwolf 2007-11-29 03:12

#6 Again, let's all give thanks to Microsoft for making the web browser based attack a reality. Before Internet Explorer, it was laughable that a computer could be infected via web browser.

Posted by: gromky 2007-11-29 02:27

#5 I vote we give all these bastards a flying cock punch. With a hammer.

Posted by: Mike N. 2007-11-29 02:12

#4 I have a dream... malwareznicks flambeaux.

Posted by: Spike Uniter 2007-11-29 01:02

#3 I hit this sort of crap after using a top-of-the-page volumetric recipe conversion site. These maggots need to be hauled out and shot.

Why is it that Washington cannot bring themselves to classify malware and spyware as a form of vandalism? Ever listen to your disk drive chatter like a frozen esquimaux after being hit with some keystroke software? This shortens the life of your hardware and is nothing less than flat-out vandalism. Nowhere do these phuques request your permission to install this crap and it is the equivalent of telecom "slamming" for them to serruptitiously install software on your computer without permission. Cookies are one thing but drive cycling spyware is another. After clicking on a hallmark.com electronic greeting card email, both my Word and Excel apps were corrupted. I'm faced with the delicate task of uninstalling these critical applications.

We need laws that require anyone trying to install anything more complex than a cookie to request user approval with a mandatory click-through before this shit can infest your 'puter.

Either that or impose simple torture, mayhem, disfigurement, sterilization and physical maiming for those who do this on a routine basis.

Posted by: Zenster 2007-11-29 00:55

#2 Use slave squirrel army... or sumtin. :-)

Posted by: Spike Uniter 2007-11-29 00:53

#1 The moditorial staff has been sweeping a lot of rat droppings out of the RB holding tank lately.

But not to worry, we almost always use the hand sanitizer afterwards.

Posted by: Seafarious 2007-11-29 00:05

00:00