Jump to content


Photo

Google search malware attack in progress


  • Please log in to reply
38 replies to this topic

#1 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 27 November 2007 - 06:16 PM

FYI...

- http://preview.tinyurl.com/2db83x
November 27, 2007 (Computerworld) - "A large-scale, coordinated campaign to steer users toward malware-spewing Web sites from Google search results is under way, security researchers said today. Users searching Google with any of hundreds of legitimate phrases -- from the technical "how to cisco router vpn dial in" to the heart-tugging "how to teach a dog to play fetch" -- will see links near the top of the results listings that lead directly to malicious sites hosting a mountain of malware. "This is huge," said Alex Eckelberry, Sunbelt Software's CEO. "So far we've found 27 different domains, each with up to 1,499 [malicious] pages. That's 40,000 possible pages." Those pages have had their Google ranking boosted by crooked tactics that include "comment spam" and "blog spam," where bots inundate the comment areas of sites with links or mass large numbers of them as bogus blog posts. Attackers may be using bots to plug links into any Web form that requests a URL, added Sunbelt malware researcher Adam Thomas. There's no evidence that the criminals bought Google search keywords, however, nor that they've compromised legitimate sites. Instead, they've gamed Google's ranking system and registered their own sites... One site that Thomas encountered tried to install more than 25 separate pieces of malware, including numerous Trojan horses, a spam bot, a full-blown rootkit, and a pair of password stealers. All the malicious code pitched at users is well-known to security vendors, and can only exploit PCs that aren't up-to-date on their patches... Sunbelt's company blog sports screen shots* of several Google search results lists, with malware-infecting sites identified, as well as images of the bogus codec installation dialogs and the code of one of the malicious IFRAMEs."
* http://sunbeltblog.b...of-malware.html

:techsupport:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#2 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 28 November 2007 - 09:41 AM

Update:

- http://preview.tinyurl.com/2db83x
"...Users searching Google, Yahoo, Microsoft Live Search and other engines with any of hundreds of legitimate phrases -- from the technical "how to cisco router vpn dial in" to the heart-tugging "how to teach a dog to play fetch" -- will see links near the top of the results listings that lead directly to malicious sites hosting a mountain of malware..."

:ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#3 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 28 November 2007 - 04:30 PM

FYI...

SEO poisoning targeted at Google
- http://sunbeltblog.b...ing-it-was.html
November 28, 2007 - "As a follow-up to our recent posts*, here’s some additional information. First, we can ring the all-clear bell. Google took action on these domains and you won’t find them anymore in Google (see Java script at URL above)... So. if you use search terms like “inurl” and “site”, you won’t see these malware pages in your results. Clever, since that’s one way for malware researchers to find stuff... And, it only cares if you’re coming from Google..."
* http://sunbeltblog.b...termath_27.html

> http://isc.sans.org/...ml?storyid=3700
Last Updated: 2007-11-28 21:07:34 UTC ...(Version: 3) - "UPDATE: Google for one has cleaned up their database. They are currently no longer returning these .cn pages for the queries affected."

:evilgrin:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#4 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 29 November 2007 - 07:16 AM

Ongoing...

- http://isc.sans.org/...ml?storyid=3700
Last Updated: 2007-11-28 23:06:30 UTC ...(Version: 4)
"UPDATE: Live Search has submitted the changes necessary to yank these URLs from the database."


:evilgrin:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#5 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 29 November 2007 - 02:19 PM

FYI...

More Google poisoning on the way?
- http://sunbeltblog.b...ing-on-way.html
November 29, 2007 - "Google has removed the sites responsible for the recent massive Google poisoning* attack. However, we’re seeing indications that another attack may be on the way. We have seen another spate of websites freshly registered, using the similar .cn domains. There seem to be two different groups here... Large amount of fresh .cn domains, with numbered html pages. However, there are apparently two different groups at work here. One we’ll call Type 1 -- which appears to be the same group involved in the prior poisoning. And the other, we'll call Type 2 (sorry, not very original, but we’re working fast here)... Right now, we’re not seeing either site serve exploits, as we saw in the last attack. However, this could change..."

* http://sunbeltblog.b...ing-it-was.html

:(

Edited by apluswebmaster, 29 November 2007 - 02:19 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#6 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 30 November 2007 - 07:52 AM

FYI...

- http://preview.tinyurl.com/3cgt5k
November 30, 2007 (Computerworld) - "Google is asking everyday Web surfers to help with its efforts to stamp out malicious Web sites. The company has created an online form designed to make it easy for people to report sites they suspect of hosting malicious code. It's the latest step by Google to expand its database of the bad Web sites it knows about, as those sites continue to proliferate. "Currently, we know of hundreds of thousands of Web sites that attempt to infect people's computers with malware. Unfortunately, we also know that there are more malware sites out there," Google's Ian Fette wrote in the company's security blog*..."
* http://googleonlines...ll-in-gaps.html

- http://msmvps.com/bl...30/1371503.aspx
November 30, 2007 - "...(Google) blog entry was published after Sunbelt reported the massive seeding of malicious web sites on Google (which were *not* flagged as dangerous), which was then cleaned up, and before it was reported that nonsense domains were reappearing in Google's search, albeit with (apparently) no malicious content (yet)... The innocent days of the Internet as a wonderous, safe place that all can visit, and learn, and teach and share and explore without fear is gone. The criminals have taken that dream away from us. That is the reality..."

:unsure:

Edited by apluswebmaster, 30 November 2007 - 08:07 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#7 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 03 December 2007 - 11:54 AM

FYI...

Malware Exploiting Death of Zoey Zane
- http://sunbeltblog.b...-zoey-zane.html
December 03, 2007- "From the sicko department . . . We have received multiple public reports of attackers using the recent murder of 18 year old college student Emily Sander (AKA "Zoey Zane" in the adult film industry world) as a lure to install malware.
From about.com:
'Dental records have confirmed that a body found near a Kansas highway is missing community college student and Internet porn star Emily Sander, authorities said. An autopsy has been completed, but the results have been sealed and are not available to the media . . . After Sander disappeared, it was discovered that the 18-year-old college student led a double life as "Zoey Zane," a character she played on Internet porn sites.'
Attackers have obtained very good search engine position when looking for information about “Zoey Zane”, and users may be lured into installing an “ActiveX upgrade” or “Flash Player” upgrade in order to view a video. In actuality, this “ActiveX video decoder” or “Flash Player Upgrade” is a Trojan that installs a Browser Helper Object (BHO) which produces fake pop-up messages and modifies search engine results in an attempt to install the Rogue Software IE Defender..."

(Screenshots available at the URL above.)

:ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#8 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 19 December 2007 - 10:32 AM

FYI...

- http://www.reuters.c...191003420071219
Dec 19, 2007 - "Advertisements placed by Google in Web pages are being hijacked by so-called trojan software that replaces the intended text with ads from a different provider, Romanian antivirus company BitDefender says*. The trojan redirects queries meant to be sent to Google servers to a rogue server, which displays ads from a third party instead of ads from Google, BitDefender said in a statement... Google said on Wednesday: "We have cancelled customer accounts that display ads redirecting users to malicious sites or that advertise a product violating our software principles." "We actively work to detect and remove sites that serve malware in both our ad network and in our search results. We have manual and automated processes in place to detect and enforce these policies." The trojan, named after the mythic Trojan Horse because of its ability to enter computer systems undetected, attacks Google's AdSense service, which targets advertisements to match Web page content..."

* http://preview.tinyurl.com/2jp2k9
December 18, 2007 (Bitdefender) - "...The modified file contains a line redirecting the host "page2.googlesyndication.com" which should point to an IP of the form 6x.xxx.xxx.xxx to a different address, of the form 9x.xxx.xxx.xxx, so that the infected machines' browsers read ads from server at the replacement address rather than from Google..."
- http://www.bitdefend...n.Qhost.WU.html

:ph34r:

Edited by apluswebmaster, 21 December 2007 - 05:21 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#9 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 26 December 2007 - 07:25 PM

FYI...

Fake codecs on Blogger
- http://sunbeltblog.b...on-blogger.html
December 26, 2007 - "Fake codec trojans (so-called “required” components to watch a video, but in fact are malicious trojans) are a plague on the Internet. We’ve written about them extensively. Often, they are seen in porn sites. However, by doing a few simple searches today, we can see that they’re available to those simply doing American football pools, checking bank hours or searching for New Year’s eve clipart. All of these are taking advantage of the free Blogger service... these sites are pushing real trojans. Please don’t go there if unless you know what you’re doing... I wouldn't put this in the same league as the massive Google poisoning we saw last month. That was an epic attack, using exploits and all kinds of nasty tricks. However, this is something to be aware of, and hopefully the good folks at Google will take them down lickety-split..."

(Screenshots available at the URL above.)

:ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#10 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 28 December 2007 - 06:37 AM

FYI...

Malicious Code: Attackers Exploiting News of Benazir Bhutto Assassination
- http://www.websense....php?AlertID=834
December 27, 2007 - "Websense Security Labs has discovered malicious Web sites attempting to capitalize on the breaking news of the assassination of Benazir Bhutto. These sites attempt to infect users seeking more information about the event. This activity is similar to past news events, where attackers used malicious sites containing information about the event to infect visitors. In this case, the first infected site found by Websense Security Labs was the second result in a Google search using a generic and simple keyword. Therefore, the site likely to receive large amounts of traffic. Clicking on the link in the search results did not trigger a warning from Google that the site may be malicious..."

(Screenshot available at the URL above.)

- http://blog.trendmic...n-javascripted/
December 27, 2007 - "...one of the sites in question indeed has an embedded malicious JavaScript redirect..."

:evilgrin: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#11 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 26 January 2008 - 07:41 AM

FYI...

Attackers Abuse Google Blogger
Blogger is flooded with phony blogs – including some that inject malware
- http://www.darkreadi...o...&print=true
JANUARY 25, 2008 - "Hackers are currently littering Google's Blogger site with phony blogs -- some containing malware, pornographic images, or pure spam. "Google Blogger is being used as a malware delivery mechanism," says Ken Steinberg, CTO and president of Savant Protection, who discovered the attack while working on his own blog this morning. The attackers apparently are automatically generating the blogs with scripts. The blogs come with nonsensical names and content that's obviously been generated using English-compliant engines and keyword focuses, he says. "They've upped the game. Mostly [blog attacks] have been through comments or postings," he says. Steinberg noted that some of the fake blogs were using malware-insertion techniques: "One of the more common ways of inserting malware is using overflow techniques found in movie [viewers]... When you click through a few of these blogs, up pops images set to auto-load -- some are images, some are movies" that can infect a visitor with malware, he says. Google says it's investigating the event..."

- http://preview.tinyurl.com/2v59aq
January 25, 2008 (Computerworld) - "...The spammers have borrowed other malware techniques, too. Just as some recent attacks have been launched using frequently changing JavaScript, the redirect code placed on the Google Pages or on blogs may fluctuate depending on the originating spam message. The scams are also using fast-flux techniques to rapidly change the resolving destinations of the links.."

:ph34r:

Edited by apluswebmaster, 26 January 2008 - 11:55 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#12 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 28 January 2008 - 08:23 AM

FYI...

- http://blog.trendmic...lware-campaign/
January 24, 2008 - "Cyber criminals who took advantage of Hollywood actor Heath Ledger’s death* are at it again, this time attempting to lure unsuspecting Super Bowl fans. When users search for “Superbowl,” Google search results turn up the following (links to malware)... what’s interesting in this case is that the malicious URLs are once again found in the servers of the Czech hosting provider believed to be hacked. Our analysts have been in contact with CERT CZ and the Czech hosting provider but the malicious codes are still present as of this writing..."
* http://blog.trendmic...es-heath-it-up/

(Screenshots available at both URLs above.)


I.E: http://www.cnet.com/...3.html?tag=head
"...A client of mine is often in the news, so I watch for articles using Google Alerts. Once a day, I'm sent an email listing the new web pages Google found that contain my client's name. After doing this for well over a year without incident, Google today included a malicious web page in the list of those referencing my client. The page tried to install malicious software on my computer..."

:ph34r:

Edited by apluswebmaster, 28 January 2008 - 10:54 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#13 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 30 January 2008 - 05:50 AM

FYI...

Search Engine Spam increasing
- http://www.messagela...telligence.aspx
MessageLabs Intelligence (PDF report): January 2008 - "...much of this type of spam in recent weeks has also revealed a significant hike in the proportion of spam abusing search engine redirects. Typically Google and Yahoo search engines have been used in these spams. Search engine spam accounts for 17% of spam in January and has been in circulation for only a few weeks. Search engine spam is a technique that allows the spammer to include a link constructed from a search engine query in an email message. When followed, the link will resolve in the spammer’s forged web site. This means that the spammers can send messages without directly mentioning the spam website, which makes it difficult for traditional anti-spam products to detect the malicious link. While they may recognize known spam sites, they cannot reasonably block links to legitimate search engine sites. eBay recently instituted some changes to circumvent this type of attack method... the link in the email passes some special parameters to the Google search engine, using the inURL: keyword (which focuses the search only on the domain listed), and the BtnI= keyword (typically used by the “I’m feeling Lucky” button on Google)..."

:ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#14 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 04 February 2008 - 10:13 AM

FYI...

Google blog used to spread malware
- http://www.networkwo...oogle-blog.html
01/31/08 - "A Google-hosted blog is running phony security content that's linked to malware, as well as using Google's automated notification service to try to entice subscribers to click on an infected link, says one security expert. To trick readers looking for information related to legitimate security products, the blog - which has been spotted working under the name "Brittany" - has copied content related to security vendors Symantec, Trend Micro and Aladdin Knowledge Systems, says Ofer Elzam, director of product management in Aladdin's eSafe division... Google states in its usage policy that "Google does not monitor the contents of Blogger.com and Blogspot.com, and takes no responsibility for such content. Instead, Google merely provides access to such content as a service to you"..."

:ph34r: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#15 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 10 February 2008 - 07:36 AM

FYI...

- http://explabs.blogs...nocent searches
February 02, 2008 - "...more innocent searches... some from the last couple of days...
coal furnace with gas insert - fake codec
road trip - neosploit
pearl shop - neosploit
high capacity battery pack - fake codec/ rootkit
eyelashes + adhesive - fake codec
camping turon gate - fake codec
greenville gremlins - fake codec
blueberry jam - mpack/ icepack
school closings in illinois parents - search engine hijack
las vegas wedding photographers - mdac
carolina theater - mpack/ icepack ..."

:ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#16 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 12 February 2008 - 02:08 PM

FYI...

All Your iFrame Are Point to Us (from the Google Anti-Malware Team)
- http://googleonlines...oint-to-us.html
February 11, 2008 - "...In the past few months, more than 1% of all search results contained at least one result that we believe to point to malicious content and the trend seems to be increasing... Some malware distribution sites had as many as 21,000 regular web sites pointing to them. We also found that the majority of malware was hosted on web servers located in China. Interestingly, Chinese malware distribution sites are mostly pointed to by Chinese web servers. We hope that an analysis such as this will help us to better understand the malware problem in the future and allow us to protect users all over the Internet from malicious web sites as best as we can. One thing is clear - we have a lot of work ahead of us."

:ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#17 uclonewolf3

uclonewolf3

    Member

  • Full Member
  • Pip
  • 2 posts

Posted 15 February 2008 - 09:56 AM

I use Google search for almost everything, and what I have found helpful is a download called "Fijan". It has a shield icon, and when you use the Google Search, there is either a green check or red "X" by the link. The red "X" means it is a questionable website. This also works on other links at the bottom of web pages. I can't tell you the website for the download, but if you type the name in the Google Search bar, I'm sure it will come up. Just use caution as to the places you download it from.

#18 uclonewolf3

uclonewolf3

    Member

  • Full Member
  • Pip
  • 2 posts

Posted 15 February 2008 - 09:58 AM

FYI...

- http://explabs.blogs...nocent searches
February 02, 2008 - "...more innocent searches... some from the last couple of days...
coal furnace with gas insert - fake codec
road trip - neosploit
pearl shop - neosploit
high capacity battery pack - fake codec/ rootkit
eyelashes + adhesive - fake codec
camping turon gate - fake codec
greenville gremlins - fake codec
blueberry jam - mpack/ icepack
school closings in illinois parents - search engine hijack
las vegas wedding photographers - mdac
carolina theater - mpack/ icepack ..."

:ph34r:



#19 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 15 February 2008 - 10:32 AM

...helpful is a download called "Fijan".

If you mean "Finjan", the Firefox browser link is here:
> https://addons.mozil...efox/addon/4892

...There are others, as in:

McAfee Site Advisor
- http://www.siteadvisor.com/

... and LinkScanner:
- http://www.explabs.c...ucts/lslite.asp

...but they -all- have limitations - nobody can "Cover the World" except Sherwin Williams, and they only make paint.

:ph34r:

Edited by apluswebmaster, 15 February 2008 - 10:36 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#20 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 18 March 2008 - 01:42 PM

FYI...

Google Ads abused to serve Spam and Malware
- http://preview.tinyurl.com/2opnkh
March 17, 2008 (McAfee Avert Labs) - "Early this year we observed spammers using Google page ads in HTML-formatted emails to redirect users who click the spammed URL to the spammers’ sites... At first we thought Google page ads were being used to conceal the actual URL and subvert traditional anti-spam detection techniques. However, it seems one can change the linked URL to point to any site of your choice–as no validation appears to be done on Google’s end. One can even point the Google page ad to executable files (malware authors have started doing this), and the link will redirect and download the malware just fine. It’s kind of ironic given than Google is very strict about the kind of file attachments one can upload/download via their Gmail service... Google must be aware of this redirect abuse, and it’s hard to understand why they don’t prevent these -redirects- working for known bad file types or for spam and malware sites."

:grrr: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#21 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 28 March 2008 - 07:04 AM

Massive IFRAME SEO Poisoning Attack Continuing...

- http://ddanchev.blog...ing-attack.html
March 28, 2008 - "Last week's massive IFRAME injection attack is slowly turning into a what looks like a large scale web application vulnerabilities audit of high profile sites. Following the timely news coverage, Symantec's rating for the attack as medium risk, StopBadware commenting on XP Antivirus 2008, and US-CERT issuing a warning about the incident, after another week of monitoring the campaign and the type of latest malware and sites targeted, the campaign is still up and running, poisoning what looks like over a million search queries with loadable IFRAMES, whose loading state entirely relies on the site's web application security practices - or the lack of. What has changed since the last time? The number and importance of the sites has increased, Google is to what looks like filtering the search results despite that the malicious parties may have successfully injected the IFRAMEs already, thus trying to undermine the campaign, new malware and fake codecs are introduced under new domain names, and a couple of newly introduced domains within the IFRAMES themselves... The main IPs within the IFRAMES acting as redirection points to the newly introduced rogue software and malware, remain the same, and are still active. The very latest high profile sites successfully injected with IFRAMES forwarding to the rogue security software and Zlob malware variants: USAToday.com, ABCNews.com, News.com, Target.com, Packard Bell.com, Walmart.com, Rediff.com, MiamiHerald.com, Bloomingdales.com, PatentStorm.us, WebShots.com, Sears.com, Forbes.com, Ugo.com, Bartleby.com, Linkedwords.com, Circuitcity.com, Allwords.com, Blogdigger.com, Epinions.com, Buyersindex.com, Jcpenney.com, Nakido.com, Uvm.edu, hobbes.nmsu.edu, jurist.law.pitt.edu, boisestate.edu... For the time being, Google is actively filtering the results, in fact removing the cached pages on number of domains when I last checked, the practice makes it both difficult to assess how many and which sites are actually affected, and of course, undermining the SEO poisoning, as without it the input validation and injecting the IFRAMEs would have never been able to attract traffic at the first place. The attack is now continuing, starting two weeks ago, the main IPs behind the IFRAMES are still active, new pieces of malware and rogue software is introduced hosting for which is still courtesy of the RBN, and we're definitely going to see many other sites with high page ranks targeted by a single massive SEO poisoning in a combination with IFRAME injections. Which site is next? Let's hope not yours..."

- http://www.securityfocus.com/blogs/708
2008-03-28 - "...Danchev... published a blog about another batch of servers getting injected with malicious code and we have confirmed the attack here at Symantec. If you're an IT administrator, you will want to temporarily add them to the list of IPs to filter (block):
* 72.232.39.252
* 195.225.178.21
* 89.149.243.201
* 89.149.220.85
In the past we've seen many low-profile sites being targeted with the IFRAME attack, but this time the list of hacked sites include many high-profile sites as well..."

(Please do NOT visit any of the IPs in the commentary - they are to be considered dangerous.)

:grrr: :ph34r: :grrr:

Edited by apluswebmaster, 28 March 2008 - 09:54 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#22 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 30 March 2008 - 06:43 AM

A few tips from Finjan:

- http://www.finjan.co...px?EntryId=1905
Mar 16, 2008 (MCRC blog) - "...It will be interesting to see how this will work out since sites still cache search results, thus allowing search engines to index those as results as well. That practice is exploited here where the site is affected by a XSS, which is then in turn “immortalized” when a search engine sees it. In the meantime we would recommend the following:
1. Website owners and developers - XSS is rated no. 1 in the OWASP top 10 web application vulnerabilities* (no pun intended). Most of them are known. Test for it, fix it. It may not be a direct threat to YOUR site, but it's a security issue nonetheless and poses a risk to your users.
2. Stop allowing the caching of search results. All the XSS were found in the search pages of the vulnerable sites. Just disable search engine caching for them. There is no added value in it.
3. Search Engines - you have the money and the resources. Although it's OPP (other people's problem), you can help prevent and mitigate such incidents (kudos to Google for their ongoing efforts)..."
* http://www.owasp.org...10_2007#Summary

:ph34r:

Edited by apluswebmaster, 31 March 2008 - 06:20 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#23 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 31 March 2008 - 04:40 AM

FYI...

- http://www.theregist...ed_site_survey/
31 March 2008 - "...ScanSafe found the amount of time a website hosting malicious code remains live increased during the second half of 2007. Malware on infected sites remained live for an average of 29 days in 2H07, up 62 per cent from the first half of the year. Forms of malware undetected by scanner packages have an even a longer shelf life once they compromise a site, persisting an average of 61 days in the second half of 2007."

:!:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#24 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 01 April 2008 - 01:32 PM

FYI...

- http://www.vnunet.co...-attack-lingers
31 Mar 2008 - "A malware attack targeting search engine results is continuing to haunt several high-profile sites. The attack uses the common cross-site scripting practice of embedding pages with small IFrame tags which redirect the user to a malicious page on a third-party site... The hackers have compromised search result pages, using search engine optimisation techniques to hijack search results and send users to sites which host malicious downloads. Among the sites said to be compromised are major news outlets ABC, USAToday and Forbes, and retailers Wal-Mart, Target and Sears... Administrators can protect against the attack by plugging the input validation vulnerabilities used to seed the malicious code within the pages..."

SANS NewsBites Vol. 10 Num. 26
- https://www.sans.org...issue=26#sID307
4/1/2008 - "...you can make the world a better place by blocking four IP addresses,:
* 72.232.39.252
* 195.225.178.21
* 89.149.243.201
* 89.149.220.85 ..."

(Once again, please do NOT visit those IPs, just BLOCK them.)

:!:

Edited by apluswebmaster, 03 April 2008 - 02:28 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#25 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 06 April 2008 - 10:01 AM

FYI...

- http://sunbeltblog.b...-inundated.html
April 05, 2008 - "As we’ve seen before, this continues to be a problem on Google Groups: Fake posts pushing porn that pushes malware (fake codecs)... This really needs to get cleaned up. There’s a reason why so many of the threats that we see users getting infected with are invariably fake codec related..."

(...because it works. Screenshots available at the URL above.)

:grrr: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#26 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 07 April 2008 - 12:44 PM

FYI...

- http://www.trustedso...s...=blog&id=31
April 7, 2008 - "The infamous “Storm worm” is back and now the spam messages contain links to the domain blogspot .com - Google’s Blogger service. The spammed subjects look like “Crazy in love with you“, “I Love Being In Love With You” or “Fallen for you“. The mail body contains just simple short sentences like “I’ll never stope loving you“, “With All My Love” or “Deeply in love with you“, followed by a link to Blogger... When a curious user will follow the lure, he will be presented a Blogger web site like above. An executable file named ‘withlove.exe‘ is linked and downloaded from another fast-fluxing domain... BTW: Storm is not the first malware which invades Blogger. Last year Zlob was also present on many Blogs, waiting to show the infamous missing codec error messages. So be aware..."

:!: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#27 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 17 April 2008 - 05:52 AM

FYI...

- http://preview.tinyurl.com/5hq4xc
16 Apr 2008 | SearchSecurity.com - "...The technique of using otherwise legitimate sites to host and deliver malware is an increasingly popular one and has continued to be effective for a number of reasons. Most importantly, users do not expect to find malware on e-commerce, news and entertainment sites that they trust and have been visiting for years. But there's also the problem of finding and removing the malicious pages. It's much easier to isolate and blackhole an entirely malicious site than it is to find and take down one infected page among thousands on a legitimate site. In his analysis of the malware utility, ISC handler Bojan Zdrnja wrote* that after infecting a new site, the program then checks with a remote server in China, possibly to confirm the new infection as part of a pay-per-infection scheme. After that operation, the tool will then connect to Google and use a specific search string to find vulnerable sites..."
* http://isc.sans.org/...ml?storyid=4294

:ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#28 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 17 April 2008 - 06:10 PM

FYI...

- http://securitylabs....Blogs/3068.aspx
4.17.2008 - "... research has uncovered a case where a museum's compromised Web server is serving malicious code based on the referrer making the request. A referrer could be, for example, a search engine such as images.google.com. As interesting as the fact that they're doing this, however, is which referrers trigger the delivery of malicious content, when others do not. In this case, the malicious content is served -only- when the referrers for the request are certain high-profile image search sites... For example, if a browser attempted to load a page with the desired image through images.google.com, malicious content was delivered. However, if a normal Google search (www.google.com) was used for the same image with the same URL, the result was the proper page, -without- the malicious redirect. So far, the list of image search sites that are used as affected referrers by the attacker are among the most high-profile image searches on the web:
* images.google.com
* images.search.yahoo.com
* www.altavista.com/image/default
* search.live.com/images/
... another screenshot of the same page, but with referrer data disabled. This page contains the normal page content, not the malicious code. The decision on what content to send is made on the server, so this attack is browser-independent. Regardless of which browser is used, if the referrer information on the request is one of the affected image search engines, the malicious content is delivered... it seems as though the museum's page has also been compromised with a search engine poisoning attack. Beyond the normal reasons for such a compromise, we can theorize that this may have been done to increase the site's search ranking, making it more likely for its images to come up in a search. As a result, more systems are likely to be infected by the malicious content."

Screenshots available at the URL above.)

:ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#29 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 17 April 2008 - 07:54 PM

FYI...

Google Pages Porn Malware Invasion Continues Unabated
- http://sunbeltblog.b...e-invasion.html
April 17, 2008 - "... Hundreds of thousands of pages, if not over a million. Examples (warning: graphic language)... And there’s also splogs pushing malware, not as porn, but just off of keywords. Here’s a search for “Symantec Download”... file being pushed, setup.exe, is a trojan. Or, let's use the search term “McAfee download”... (I’m not picking on these AV companies, if you do similar searches for Sunbelt products, you’ll hit these types of things as well.) These slimeballs are using all kinds of keywords. Here’s some more, like Blackberry Ringtones and Free Messenger Download, returning spam links... Or how about keeping it simple, and just saying “free download”? Malware!... A large part of this is most certainly caused by bots uploading stuff, breaking the CAPTCHA. They may not break it all the time, but they do break it probably 10% of the time. That’s enough to upload a ton of garbage..."

(Screenshots available at the URL above.)

:ph34r: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#30 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 06 May 2008 - 04:45 AM

FYI... (now, not "malware", just FRAUD)

- http://www.networkwo...el-new-url.html
05/02/2008 - "Google adwords account holders are being targeted by criminals out to trick them into handing over credit card information using a clever URL spoof that has gained popularity in recent weeks. On the face of it, the scam follows a traditional attack route involving the sending of spam emails to random Internet addresses in the hope of finding users who have purchased adwords. The email claims that the user's account payment has failed and asks them to "update payment information", again a transparent ploy by today's standards... As obvious as this might sound, the unwary might easily be tricked by the convincing http ://adwords .google .com/select/login link embedded in the email, a perfect copy of the correct Google login address. This one, however, actually leads to hxxp ://www .adwords .google .com.XXXX.cn/select/Login [address altered], an obfuscated address that directs to a site associated with IPs in Germany, Romania, and the Czech Republic. The site is a good copy of the real Google adword site, and appears to let users login using their real account details - any account details will work in fact. Entering payment details results in that information being posted using an SSL link to a remote server after which the account will ripped off. The attack has been publicized by security software company Trend Micro*, but the disarmingly simple scam is widespread enough to have been received by ordinary users in recent days..."
* http://blog.trendmic...words-phishing/
May 1, 2008

:ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#31 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 25 June 2008 - 07:54 AM

FYI...

- http://preview.tinyurl.com/5cvvdw
June 24, 2008 (Infoworld) - "...Stopbadware.org released data on "badware" Web sites on Tuesday, saying that Google was one of the top five networks responsible for hosting these dangerous Web sites.
The numbers show that China is now a top source of malicious Web sites -- China-based networks hosted more than half of the malicious Web sites tracked by the group -- but Google's appearance on the list is perhaps more remarkable...
A year ago, Google did not appear on Stopbadware.org's list of the top 10 sources of badware, but recently scammers and online criminals have turned to Google's Blogger service to host malicious or spyware-related Web pages... In March, Google was the top badware network tracked by Stopbadware*..."

* http://blogs.stopbad...-for-march-2008
Top Infected IP Addresses

> http://www.stopbadwa...rg/home/badwebs

:!:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#32 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 16 August 2008 - 05:34 AM

FYI...

A Million Search Strings to Get Infected
- http://blog.trendmic...o-get-infected/
August 15, 2008 - "...We received several reports from the North American region earlier today about users being victimized by a rogue antispyware, which these users have downloaded after they have somehow been convinced to click on malicious links. These links point to malware that caused overt signs (such as popup balloons and modified wallpapers) to appear in the PC suggesting that the system has indeed been infected. This is not goodwill, though — because downloading the ‘trial version’ only scans the system. To remove the infection the user will have to purchase the entire antispyware for real money. Users may be infected via spammed email messages, spammed instant messages, or even via ads served in social networking sites. Soon enough, we’ve discovered not one but two fake antivirus software. This time the attack is made possible through a mass SEO poisoning involving several compromised Web sites. This development has certainly upped the chances of the rogue antispyware gaining mileage. How does this work? A simple Google/Yahoo! search can lead you to malware-serving site. Search strings such as “changes on the river amazon” or “changes made for mount Pinatubo” will lead you to a malicious Web site. Users who happen to use these strings will find themselves going down the long road of nasty redirections... After all the fake notifications, the user will be asked to download AV2009Install_880488.exe. The other fake antivirus will lead users to hxxp ://scan. free-antispyware-scanner. com ... This will ask the user to download setup_100722_3.exe instead of AV2009Install_880488.exe. (Note that the final agenda for both and most rogue antispyware scams is extortion. Users who fall for this scam pay a certain amount of money to the malware writers to purchase the full version of the fake antispyware.)
According to our investigation, there are about several dozen domains involved that are currently compromised. The hackers were able to upload PHP scripts that contain various text strings designed for SEO poisoning (SEO poisoning is manipulating or influencing the natural page rankings of search results in order to get more hits than a page really deserves). This is not the first time Trend Micro has seen this incident, a previous SEO poisoning of this scale was also discovered December 2007, with SEO poisoning pages hosted on Blogspot. This time around, compromised web sites were used instead. Digging a little bit deeper, we’ve also found out that the hackers have almost 1 million search phrases at their disposal for SEO poisoning. These search phrases covers the range from free downloads, lyrics, travel, politics and anything in between. Malicious sites have “CLICK HERE! ALL INFORMATION!” and “CLICK HERE! WANT TO KNOW MORE ABOUT” as their page titles, so it will be best to avoid clicking through Google/Yahoo! results that have those aforementioned site titles."

(Screenshots available at the TrendMicro URL above.)

//
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#33 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 23 August 2008 - 06:26 PM

FYI...

Continuing problem - malware advertised in Google Adwords
- http://sunbeltblog.b...ware-being.html
August 23, 2008 - "Google continues to have a problem with malware being advertised in Google Adwords, in this case, for the trojan Antivirus XP 2008... An exacerbating part of the problem, of course, is that Google Adwords are massively syndicated to other sites, including heavy-hitters like CNET, all of whom may unknowingly push malware through these ads. A lot of people can get affected by this type of problem."
(Screenshots available at the URL above.)

- http://sunbeltblog.b...sist-irony.html
August 23, 2008 (Yet another Screenshot)

//
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#34 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 06 November 2008 - 12:29 PM

FYI...

More Google searches resulting in rogue AV
- http://blog.trendmic...ng-in-rogue-av/
Nov. 5, 2008 - "... 2 scenarios resulting (in) rogue AV downloads, also done through hijacking Google search results... In the first scenario, queries for the string refa+zeitaufnahmebogen [related to a German association for work design] on the German Google website (www.google.de) yield suspicious results... Using Wireshark, I’ve found that this was achieved through a redirection to yet another URL entirely... While the first scenario is more of a targeted attack, this next one proves to aim at a wider range of victims, and timely as well considering the US elections. Malicious results were also found generated from queries for the string absentee voting... And of course, this is another work of the FakeAV gang. Clicking the result triggers a series of redirections; however the payload, or the fake AV itself, is not there anymore. The downloaded file has the same name..."

(Screenshots available at the URL above.)

:ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#35 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 24 November 2008 - 09:29 AM

FYI...

Bogus ‘HouseCall’ Search Results Lead to Adware
- http://blog.trendmic...lead-to-adware/
Nov. 23, 2008 - "Given the popularity of Trend Micro’s free online scanner HouseCall, it shouldn’t be a surprise that hackers are now trying to exploit it for their benefit... found this unwelcome search result that comes up when a user searches for “free online virus scan by Trend Micro” in Google... Not surprisingly, the system scanning is completely fake. In actuality, the page linked to in the initial resulting Google search - along with other pages from the same domain - all point to a file detected by Trend Micro as ADW_FAKEAV. This is the software that tries to dupe victims into believing that their systems are infected with some sort of bogus malware and the prompts them to pay for a full license of a fake antivirus application in order to remove the fake threat. ADW_FAKEAV also connects to a remote website downloads another adware program detected as ADW_FAKEAV.O, so in this entire process, victims are exposed to more adware threats... This would not be the first time our products’ names were used in malicious operations..."

(Screenshot available at the URL above.)

:ph34r: :grrr:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#36 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 24 December 2008 - 05:46 AM

FYI...

Fake antivirus peddlers... using redirects
- http://preview.tinyurl.com/7khzp9
12/24/2008 (Networkworld.com) - "... Over the past four days the scammers have used so-called redirector links on Web sites belonging to magazines, universities and, most remarkably, the Microsoft.com and IRS.gov domains, said Gary Warner, director of research in computer forensics with the University of Alabama at Birmingham, who first reported the activity on his blog* Tuesday. Many Web sites use redirector links to take visitors away from the site, although the Web site operators try to stop them from being misused by scammers... If criminals can use a redirector on a major Web site like Microsoft.com or IRS.gov, however, they can make their malicious links pop up very high in Google search results... The FTC estimates that 1 million consumers were taken in by other fake antivirus products which go by names such as WinFixer, WinAntivirus, DriveCleaner, ErrorSafe and XP Antivirus... the scammers behind this latest operation may be connected to the earlier scams..."
* http://garwarner.blo...nfect-your.html
December 23, 2008 - "An unknown hacker has been on a Search Engine Optimization rampage to flood search engines with more than a million ways to infect yourself with his virus... You can review the coverage on "install.exe" on VirusTotal.com**... where only 5 of 37 antivirus products were able to identify the file as malware...
UPDATE!
Microsoft has closed the Open Redirector which was being abused... Clicking one of the Microsoft pages indicated in the Google search... will now take you to a safe page stating that the page was not found, and then forwarding you to a Microsoft search page. Thanks to Microsoft for such a quick response once the problem was pointed out to them."
** http://www.virustota...81de81583e36fa0

:techsupport:

Edited by apluswebmaster, 24 December 2008 - 05:48 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#37 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 07 January 2009 - 12:31 PM

FYI...

- http://www.viruslist...logid=208187615
January 05, 2009 - "Drive-by downloads became increasingly common in 2008. With webmasters becoming more aware of security issues, the criminals out there are always looking for new techniques to ensure that their malware survives longer... The malware writers start by doing Google searches to identify popular websites. The most popular sites thrown up by each search are then 'pen-tested' for vulnerabilities. The most vulnerable websites are then compromised and in order to cover their tracks, malware writers aren't adding code to these compromised pages in the form of new files or even obfuscated code. Instead, they're simply modifying scripts that are already running on the compromised pages... it's not just websites which have been optimized to achieve high search rankings that are being used; the criminals are also targeting some security sites... Compromising websites optimized for search engine success and infecting users through a series of malicious re-directs is bound to be a popular attack vector in 2009 and will undoubtedly cause webmasters new headaches. This case just goes to show that nothing on the Internet is as safe as it might seem. And it's not just Google that's affected – I tested this attack scenario using Yahoo! and MSN, and the results were the same..."

:ph34r: :grrr:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#38 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 18 January 2009 - 03:50 PM

FYI...

- http://sunbeltblog.b...ishing-run.html
January 18, 2009 - "Google Adwords phishes have been quiet for a while, but now they're back. Unlike most of the other Google Adwords runs, these are not using .cn TLDs, instead ones like Burkina Faso and EU (.be and .eu)... All fast flux... And all appear to have been registered with Tucows..."

(Screenshots available at the URL above.)

:ph34r: :grrr:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#39 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 02 February 2009 - 07:31 AM

FYI...

- http://blog.trendmic...being-poisoned/
Feb. 1, 2009 - "... new blackhat SEO poisoning makes clear that online search tools are quickly becoming favorite platforms for online criminals in their operations.
Search traffic on Google Video were found to be polluted: instead of legitimate videos researchers found some 400,000 queries returning video results that have a single redirection point, and one that eventually leads to malware download and execution.
Trend Micro detects the malicious executable as WORM_AQPLAY.A. This worm - file name FlashPlayer.v3.181.exe and from that alone one can already guess the social engineering strategy - spreads via removable and network drives when autorun is enabled. It masquerades as an Adobe Flash installer, which users who visit certain spoofed versions of video streaming websites are prompted to download and install. What's more interesting here is how users get to these spoofed websites in the first place. Researchers believe that the gang behind this threat is maintaining a notable number of domains for their malicious operations. These domains have keyword-riddled pages, so they appear on top of search results when users enter certain related strings. A user, thinking that top search results are reliable, is then unknowingly trapped into visiting a malicious website. This is typical of most SEO poisoning attacks, but it does not end there. This new threat also comes with a detection-evasion technique: only users who are redirected from Google Video are prompted to download FlashPlayer.v3.181.exe.
Blackhat SEO threats take advantage of the trust users put on online search tools. Through this method cybercriminals are able to manipulate results such that malicious websites appear first on search lists..."

:ph34r: :grrr:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.




Member of UNITE
Support SpywareInfo Forum - click the button