journal: win

Malware Dealers Game Search Engines to Dispense Payload

By Liam, November 29, 2007

According to Computerworld, some malware distributors have acted in a concerted effort to get their sites to the top of seemingly harmless search results. By using bots to spam comments of blogs and even blogs themselves along with other methods, they have abused the pageranking systems utilized by many search engines, such as Google, Live Search, and Yahoo! Search. These pages, though seemingly harmless, may try to trick users into installing fake codecs. Others may not be so upfront about it, installing malware if the user so much as clicks on the page. Most of these attacks use more than one method.

Computerworld interviewed several employees of Sunbelt Software (a security software development company) including Alex Eckelberry, the CEO:

"This is huge," said Alex Eckelberry, Sunbelt Software‘s CEO. "So far we’ve found 27 different domains, each with up to 1,499 [malicious] pages. That’s 40,000 possible pages."

Another employee, malware researcher Adam Thomas identified the core of the threat to users:

"[The page’s IFRAME] is what’s doing the most damage," he said. "It’s loaded with every piece of malware you can think of, including fake toolbars, rogue software and scareware."

According to them, most of these rogue results will have odd URLs, which consist mostly of a jumble of characters attached to China’s .cn domain.

As is the case most of the time, users who keep their computers up to date are least likely to be affected. Additionally, using a modern web browser is a good idea where possible. Of course, when your first result for "dogs" is at lfieafhdksal.cn, it’s probably not a benevolent result.

Deep Thought’s Take: I was unable to reproduce the screenshots shown on the blog, so the threat may be on the downswing. That does not mean, however, that you shouldn’t keep your system up to date. There’s a reason why most update systems download automatically then bug you to install.

More Info

Computerworld Article
Sunbelt Blog: Screenshots of the Threat



Liam's Avatar 5 2635
Liam Liam's Profile comments views

Show Tell-a-friend Tell A Friend · Track it · Permalink

« Previous · win journal · Next »

thinkback

1.

Others may not be so upfront about it, installing malware if the user so much as clicks on the page.

I’m told that this is impossible in a post-SP2 world.

I didn’t see which browsers and which versions of Windows are affected. Do you know, Liam?

Mac Fan's Profile Nov. 30, 2007
3:59 pm

2.

Mac Fan, had you RTFA you’d see the screenshots and what browsers it affects.  The attack is the same “download and install this codec” attack that made news by hitting the Mac a few weeks ago.

No, SP2 machines in default config is affected by this attack because the system will automatically download and install patches.

Dec. 22, 2007
12:22 pm

3.

The iFrame exploit isn’t at all the same as downloading a disk image, mounting it, running it, entering your password.

Once shunted to a malware-hosting site, the user might face a fake codec installation dialog. If the user doesn’t bite, the page’s IFRAME will get him, said Thomas. “This is what’s doing the most damage,” he said. “It’s loaded with every piece of malware you can think of, including fake toolbars, rogue software and scareware.”

Mac Fan's Profile Dec. 22, 2007
2:46 pm

4.

Had you RTFA you’d see that many of those malicous sites use the same TrojanDNSchanger.dmg that hit Macs a few weeks ago.  So yes, the attack is the same.

Dec. 22, 2007
10:59 pm

5.

I’ll take this to the forum.

Mac Fan's Profile Dec. 24, 2007
8:48 am

Page 1 of 1 pages

respond

Have an account? Log in to leave your comments!

Commenting is not available in this weblog entry.