Tuesday, November 27, 2007 1:00 Prime Minister PST
Recommend this story?
A large-scale, coordinated political campaign to maneuver users toward malware-spewing Web land land sites from hunt consequences is under way, security research workers said Tuesday.
Users searching Google with any of 100s of legitimate phrases -- from the technical "how to lake herring router vpn dial in" to the heart-tugging "how to learn a domestic dog to play fetch" -- will see golf course near the top of the consequences lists that Pb directly to malicious sites hosting a mountain of malware. "This is huge," said , 's CEO. "So far we've establish 27 different domains, each with up to 1,499 [malicious] pages. That's 40,000 possible pages."
Those pages have got had their Google ranking boosted by crooked tactics that include "comment spam" and "blog spam," where bots inundate the remark countries of land sites with golf course or mass big Numbers of them as fake blog posts. Attackers may be using bots to stop up golf course into any Web word form that petitions a URL, added Sunbelt malware research worker .
There's no grounds that the felons bought Google hunt keywords, however, nor that they've compromised legitimate sites. Instead, they've gamed Google's commanding system and registered their ain sites.
"They acquire themselves on to Google, then redirect people to their malware pages," said Eckelberry. Most users wouldn't surmise anything's awry with the knave results, although the ultra-wary might be leery because many of the malicious URLs are just a clutter of characters, with 's .cn top-level domain at their ends.
Once shunted to a malware-hosting site, the user might confront a sham codec installing dialog. If the user doesn't bite, the page's IFRAME will acquire him, said Thomas. "This is what's doing the most damage," he said. "It's loaded with every piece of malware you can believe of, including bogus toolbars, knave software system and scareware."
One land site that Seth Thomas encountered tried to put in more than than 25 separate pieces of malware, including numerous Dardan horses, a Spam bot, a full-blown rootkit, and a brace of watchword stealers. All the malicious codification pitched at users is well-known to security vendors, and can only work PCs that aren't up-to-date on their patches.
"I ran into one, and it hosed my VM [virtual machine]," said Eckelberry. "Completely hosed it."
While Eckelberry called the cozenage "impressive" in scope, Seth Thomas echoed his foreman in describing the attack's magnitude. "It's wish they've colored any possible hunt term you can believe of," said Thomas. "There are 10s of one thousands of [malicious] pages out there."
Sunbelt's company blog athletics silver screen shots of respective Google hunt consequences lists, with malware-infecting land sites identified, as well as mental images of the fake codec installing dialogues and the codification of one of the malicious IFRAMEs.