On mySimon: Toy Concept Polaris Rush Snowmobile
BNET Business Network:
BNET
TechRepublic
ZDNet

November 27th, 2007

Sunbelt Software: Google search results delivering massive malware attacks

Posted by Larry Dignan @ 6:14 pm

Categories: Exploit code, Google, Hackers, Vulnerability research

Tags: Google Inc., Malware, Google Search, Sunbelt Software, Attack, Spyware, Adware & Malware, Cyberthreats, Viruses And Worms, Security, Larry Dignan

For the last two days, security software firm Sunbelt Software has been all over what could develop into a scary trend: Rigged Google search results that deliver big malware payloads.

On Monday, Sunbelt reported “we’re seeing a large amount of seeded search results which lead to malware sites.” The search terms leading you to these malware payloads were pretty basic fare.

This screenshot courtesy of Sunbelt shows an example of the malware sites (Sunbelt’s post has a bunch of other examples).

mallinks1238888_thumb1.jpg

On Tuesday, Sunbelt researcher Adam Thomas followed up with another post. Thomas wrote:

Sunbelt Software has uncovered tens of thousands of individual pages that have been meticulously created with the goal of obtaining high search engine ranking. Just about any search term you can think of can be found in these pages.

Simply put, damn near any Google search term–even terms like “hospice”– can take you to one of these malware sites. Computerworld quotes Sunbelt Software CEO Alex Eckelberry as saying “this is huge.” I’m inclined to agree, especially considering Eckelberry’s inventory: “27 different domains, each with up to 1,499 [malicious] pages. That’s 40,000 possible pages.”

Thomas continues:

For months now, our Research Team has monitored a network of bots whose sole purpose is to post spam links and relevant keywords into online forms (typically comment forms and bulletin board forums). This network, combined with thousands of pages such as the two seen above, have given the attackers very good (if not top) search engine position for various search terms.

In our previous post, we mentioned that the malicious pages also contained an IFRAME link which would attempt to exploit vulnerable systems. If you were unlucky enough to run across one of these links while surfing with a vulnerable system, you would become infected with a family of malware that we call Scam.Iwin. With Scam.Iwin, the victim’s computer is used to generate income for the attacker in a pay-per-click affiliate program by transmitting false clicks to the attacker’s URLs without the user’s knowledge. The infected Scam.Iwin files are not ordinarily visible to the user. The files are executed and run silently in the background when the user starts the computer and/or connects to the internet.

Google has been notified and hopefully its fancy algorithm can nuke these bogus sites pronto.

Ryan Naraine is on vacation.

Larry DignanLarry Dignan is Editor in Chief of ZDNet and Editorial Director of ZDNet sister site TechRepublic. See his full profile and disclosure of his industry affiliations.

  • Talkback
  • Most Recent of 114 Talkback(s)
RE: Sunbelt Software: Google search results delivering massive malware atta
Google Finjan Secure Browsing. happy

I use it on IE and FF. No browser should be without it and it's free.... (Read the rest)
Posted by: clickyd@... Posted on: 01/04/08 You are currently: a Guest | | Terms of Use
I wonder?  Chad_z | 11/27/07
how much will it cost google is a good question to (NT)  SO.CAL Guy | 11/27/07
Microsoft? Not a thing. Google, on the other hand  GuidingLight | 11/27/07
Microsoft? Not a thing. Google...  boguscomputer | 11/29/07
Linux is IP impure?  Henrik Moller | 11/28/07
What does Linux is IP impure mean?  rkostynu@... | 11/28/07
Yes, intellectual property (nt)  macoafi | 11/28/07
"IP imure"  Henry Miller | 11/28/07
It should be pointed out  tracy anne | 11/29/07
Wow, people's sarcasm meters must be broken!  NonZealot | 11/28/07
Talk about FUD  winski | 11/28/07
all the infected links are from china .cn makes you think  SO.CAL Guy | 11/27/07
Indeed  James T. Kirk | 11/28/07
China = wild west (wild east?)  davagain | 11/28/07
Your right slave labor...  ja4509 | 11/28/07
Hey, China is West  epcraig | 11/29/07
"Wallah"??  internot | 11/29/07
Everything coming from China  Computer_User_1024 | 11/28/07
Dell  LadyGray | 11/28/07
DELL  gefilte_sux@... | 11/28/07
Chinese parts  DIMrBobSir | 11/30/07
Mostly true, but not entirely...  RS9 | 11/28/07
Mostly true, but not entirely...  gefilte_sux@... | 11/28/07
everything from China  gefilte_sux@... | 11/28/07
I think we're a little off Track but to answer  jescocom | 12/04/07
a solution  colosoho_tech@... | 12/05/07
... but it may be the work of Russian criminals  Tony R. | 11/28/07
Not Surprising  melekali | 11/28/07
Conspiracy theory #384  internot | 11/29/07
Oh that's not good.  D-T-Schmitz | 11/27/07
Not much problem for me  Loong | 11/27/07
Outdated  santuccie | 11/28/07
This is news?  rpmyers1 | 11/27/07
Exactly what I was thinking.  JDThompson | 11/28/07
Well...  Cardinal_Bill | 11/27/07
Google reponse was amazing!  kyawam | 11/28/07
Press release from search engines?  ejhonda | 11/28/07
RE:  Bucky24 | 11/28/07
RE: Sunbelt Software: Google search results delivering massive malware atta  mnion@... | 11/28/07
Lame Analogy  ralderson | 11/28/07
not so fast...  amatbrewer@... | 11/28/07
Re: WilsonWebWare got me  ronw1@... | 11/28/07
RE: Sunbelt Software: Google search results delivering massive malware attacks  GeoMartinez | 11/28/07
Now when are they going to update their firewall?  CobraA1 | 11/28/07
Good question!  santuccie | 11/28/07
RE: Sunbelt Software: Google search results delivering massive malware atta  rahuman@... | 11/28/07
RE: Sunbelt Software: Google search results delivering massive malware attacks  stardreamer | 11/28/07
Google should focus on their core competency  DaveMorris | 11/28/07
Google is in a war with con-artists.  Resuna | 11/28/07
RE: I got them  CAROLE1@... | 11/28/07
RE: I got them  CAROLE1@... | 11/28/07
No problem here  Tony R. | 11/28/07
No problem here, either  santuccie | 11/28/07
There is an excellent tool to help  arpboy_z | 11/28/07
I second that...  goonrick@... | 11/28/07
Site Advisor  MichP | 11/28/07
Another Tool  MichP | 11/28/07
Limited User Accounts  WNCSnoopy24 | 11/29/07
And yet another tool  WNCSnoopy24 | 11/29/07
Good, but you need a bit more  santuccie | 11/28/07
RE: Sunbelt Software: Google search results delivering massive malware attacks  c_jg@... | 11/28/07
Congratulations on finding your computing paradise!  martin_l_77084@... | 11/28/07
RE: Sunbelt Software: Google search results delivering massive malware attacks  SMHMan | 11/28/07
NT32bit  istoware@... | 11/28/07
RE: NOT Google specific.  lawentzel | 11/28/07
I am enjoying this ...  dgrainge | 11/28/07
No, not all of us are  Linux User 147560 | 11/28/07
Not yet ....  martin_l_77084@... | 11/28/07
No-one has bashed the Brits yet.  hubarlow | 11/28/07
Sunbelt Software: Google search results delivering massive malware attacks  gmart@... | 11/28/07
RE: Sunbelt Software: Google search results delivering massive malware attacks  rabidsamfan | 11/28/07
Easy to differentiate  melekali | 11/28/07
Running FF 2.0.0.10 on XP,  mhenriday | 11/28/07
Re: Running FF 2.0.0.10 on XP  cpr4k@... | 11/28/07
And let's not forget that most French of dishes  erikmidtskogen | 11/28/07
Did it again!  erikmidtskogen | 11/28/07
Message has been deleted.  leigh@... | 11/28/07
RE: Sunbelt Software: Google search results delivering massive malware attacks  Billy.Jones@... | 11/28/07
RE: Sunbelt Software  the_piano_woman@... | 11/28/07
RE: google is being paid to allow these attacks  salmonfire@... | 11/28/07
My PC was crippled last night by this  ericadman | 11/28/07
Ran Linux ...  fr0thy | 11/28/07
Linux Stability Overrated  russell_john@... | 11/28/07
I think not.  spookyone1 | 11/28/07
Sunbelt Software?  Uncle Buck | 11/28/07
What firewall?  santuccie | 11/28/07
Sunbelt  santuccie | 11/28/07
Personally...  Uncle Buck | 11/29/07
Re: Personally...  santuccie | 11/30/07
Re: Personally  Uncle Buck | 11/30/07
Re:  santuccie | 12/01/07
Alpha-Beta  santuccie | 12/01/07
Re: What Firewalll?  Uncle Buck | 11/29/07
Unk, I think your Confused.  rmhesche | 11/29/07
Who me? Confused?  Uncle Buck | 11/29/07
That's not what a firewall is for  santuccie | 12/01/07
Re: Windows Firewall  santuccie | 12/01/07
We do use software...  Uncle Buck | 12/03/07
RE: Sunbelt Software: Google search results delivering massive malware atta  bobbruno | 11/28/07
RE: Sunbelt Software: Google search results delivering massive malware attacks  bapu.mohapatra@... | 11/28/07
No problem here  John Musbach | 11/28/07
block *.cn  emenau | 11/29/07
RE: Sunbelt Software: Google search results delivering massive malware attacks  suemccartin | 11/29/07
Here's the info you asked about  boguscomputer | 11/29/07
Run Linus and forgetabout it  jackofalltradesmasterofnone | 11/29/07
I use it but can't type...  jackofalltradesmasterofnone | 11/29/07
More from Sunbelt Software  mhenriday | 11/30/07
Google search results delivering massive malware attacks by Matrix Systems  help@... | 11/30/07
It is stable  Uncle Buck | 12/03/07
We do use software  Uncle Buck | 12/03/07
RE: Sunbelt Software: Google search results delivering massive malware attacks  poppers@... | 12/06/07
RE: Sunbelt Software: Google search results delivering massive malware attacks  poppers@... | 12/06/07
So which "google" function probably should be disabled for awhile?  flared0ne | 12/11/07
RE: Sunbelt Software: Google search results delivering massive malware atta  clickyd@... | 01/04/08

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here