Update: Subverted search sites lead to massive malware attack in progress
Trojans, rootkits, password stealers hit users who click on a bad link after a search
Computerworld - A large-scale, coordinated campaign to steer users toward malware- spewing Web sites from Google and other Internet search engines is under way, security researchers said Tuesday.
Users searching Google, Yahoo, Microsoft Live Search and other engines with any of hundreds of legitimate phrases -- from the technical "how to cisco router vpn dial in" to the heart-tugging "how to teach a dog to play fetch" -- will see links near the top of the results listings that lead directly to malicious sites hosting a mountain of malware.
"This is huge," said Alex Eckelberry, Sunbelt Software's CEO. "So far we've found 27 different domains, each with up to 1,499 [malicious] pages. That's 40,000 possible pages."
Those pages have had their search site ranking boosted by crooked tactics that include "comment spam" and "blog spam," where bots inundate the comment areas of sites with links or mass large numbers of them as bogus blog posts. Attackers may be using bots to plug links into any Web form that requests a URL, added Sunbelt malware researcher Adam Thomas.
There's no evidence that the criminals bought search keywords, however, nor that they've compromised legitimate sites. Instead, they've gamed search site ranking systems and registered their own sites.
"They get themselves on to Google, then redirect people to their malware pages," said Eckelberry. Most users wouldn't suspect anything's amiss with the rogue results, although the ultra-wary might be suspicious because many of the malicious URLs are just a jumble of characters, with China's .cn top-level domain at their ends.
Once shunted to a malware-hosting site, the user might face a fake codec installation dialog. If the user doesn't bite, the page's IFRAME will get him, said Thomas. "This is what's doing the most damage," he said. "It's loaded with every piece of malware you can think of, including fake toolbars, rogue software and scareware."
One site that Thomas encountered tried to install more than 25 separate pieces of malware, including numerous Trojan horses, a spam bot, a full-blown rootkit, and a pair of password stealers. All the malicious code pitched at users is well-known to security vendors, and can only exploit PCs that aren't up-to-date on their patches.
"I ran into one, and it hosed my VM [virtual machine]," said Eckelberry. "Completely hosed it."
While Eckelberry called the scam "impressive" in scope, Thomas echoed his boss in describing the attack's magnitude. "It's like they've colored any possible search term you can think of," said Thomas. "There are tens of thousands of [malicious] pages out there."
Sunbelt's company blog sports screen shots of several Google search results lists, with malware-infecting sites identified, as well as images of the bogus codec installation dialogs and the code of one of the malicious IFRAMEs.
Read more about Security in Computerworld's Security Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts