News: Cexx forums, with volunteers dedicated to helping you remove malware and stay protected
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
September 01, 2014, 12:56:25
Pages: 1 [2] 3 4   Go Down
  Print  
Topic: Google search malware attack in progress  (Read 43438 times)
0 Members and 1 Guest are viewing this topic.
« Reply #15 on: March 18, 2008, 11:47:05 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8233



FYI...

Google Ads abused to serve Spam and Malware
- http://preview.tinyurl.com/2opnkh
March 17, 2008 (McAfee Avert Labs) - "Early this year we observed spammers using Google page ads in HTML-formatted emails to redirect users who click the spammed URL to the spammers’ sites... At first we thought Google page ads were being used to conceal the actual URL and subvert traditional anti-spam detection techniques. However, it seems one can change the linked URL to point to any site of your choice–as no validation appears to be done on Google’s end. One can even point the Google page ad to executable files (malware authors have started doing this), and the link will redirect and download the malware just fine. It’s kind of ironic given than Google is very strict about the kind of file attachments one can upload/download via their Gmail service... Google must be aware of this redirect abuse, and it’s hard to understand why they don’t prevent these -redirects- working for known bad file types or for spam and malware sites."

 Shocked Evil or Very Mad
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #16 on: March 28, 2008, 05:08:48 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8233



Massive IFRAME SEO Poisoning Attack Continuing...

- http://ddanchev.blogspot.com/2008/03/massive-iframe-seo-poisoning-attack.html
March 28, 2008 - "Last week's massive IFRAME injection attack is slowly turning into a what looks like a large scale web application vulnerabilities audit of high profile sites. Following the timely news coverage, Symantec's rating for the attack as medium risk, StopBadware commenting on XP Antivirus 2008, and US-CERT issuing a warning about the incident, after another week of monitoring the campaign and the type of latest malware and sites targeted, the campaign is still up and running, poisoning what looks like over a million search queries with loadable IFRAMES, whose loading state entirely relies on the site's web application security practices - or the lack of. What has changed since the last time? The number and importance of the sites has increased, Google is to what looks like filtering the search results despite that the malicious parties may have successfully injected the IFRAMEs already, thus trying to undermine the campaign, new malware and fake codecs are introduced under new domain names, and a couple of newly introduced domains within the IFRAMES themselves... The main IPs within the IFRAMES acting as redirection points to the newly introduced rogue software and malware, remain the same, and are still active. The very latest high profile sites successfully injected with IFRAMES forwarding to the rogue security software and Zlob malware variants: USAToday.com, ABCNews.com, News.com, Target.com, Packard Bell.com, Walmart.com, Rediff.com, MiamiHerald.com, Bloomingdales.com, PatentStorm.us, WebShots.com, Sears.com, Forbes.com, Ugo.com, Bartleby.com, Linkedwords.com, Circuitcity.com, Allwords.com, Blogdigger.com, Epinions.com, Buyersindex.com, Jcpenney.com, Nakido.com, Uvm.edu, hobbes.nmsu.edu, jurist.law.pitt.edu, boisestate.edu... For the time being, Google is actively filtering the results, in fact removing the cached pages on number of domains when I last checked, the practice makes it both difficult to assess how many and which sites are actually affected, and of course, undermining the SEO poisoning, as without it the input validation and injecting the IFRAMEs would have never been able to attract traffic at the first place. The attack is now continuing, starting two weeks ago, the main IPs behind the IFRAMES are still active, new pieces of malware and rogue software is introduced hosting for which is still courtesy of the RBN, and we're definitely going to see many other sites with high page ranks targeted by a single massive SEO poisoning in a combination with IFRAME injections. Which site is next? Let's hope not yours..."

- http://www.securityfocus.com/blogs/708
2008-03-28 - "...Danchev... published a blog about another batch of servers getting injected with malicious code and we have confirmed the attack here at Symantec. If you're an IT administrator, you will want to temporarily add them to the list of IPs to filter (block):
    * 72.232.39.252
    * 195.225.178.21
    * 89.149.243.201
    * 89.149.220.85
In the past we've seen many low-profile sites being targeted with the IFRAME attack, but this time the list of hacked sites include many high-profile sites as well..."

(Please do NOT visit any of the IPs in the commentary - they are to be considered dangerous.)

 Shocked Evil or Very Mad Shocked
« Last Edit: March 28, 2008, 07:45:01 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #17 on: March 31, 2008, 02:44:37 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8233



FYI...

- http://www.theregister.co.uk/2008/03/31/compromised_site_survey/
31 March 2008 - "...ScanSafe found the amount of time a website hosting malicious code remains live increased during the second half of 2007. Malware on infected sites remained live for an average of 29 days in 2H07, up 62 per cent from the first half of the year. Forms of malware undetected by scanner packages have an even a longer shelf life once they compromise a site, persisting an average of 61 days in the second half of 2007."

 Exclamation
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #18 on: April 01, 2008, 11:35:21 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8233



FYI...

- http://www.vnunet.com/vnunet/news/2213090/search-engine-attack-lingers
31 Mar 2008 - "A malware attack targeting search engine results is continuing to haunt several high-profile sites. The attack uses the common cross-site scripting practice of embedding pages with small IFrame tags which redirect the user to a malicious page on a third-party site... The hackers have compromised search result pages, using search engine optimisation techniques to hijack search results and send users to sites which host malicious downloads. Among the sites said to be compromised are major news outlets ABC, USAToday and Forbes, and retailers Wal-Mart, Target and Sears... Administrators can protect against the attack by plugging the input validation vulnerabilities used to seed the malicious code within the pages..."

SANS NewsBites Vol. 10 Num. 26
- https://www.sans.org/newsletters/newsbites/newsbites.php?vol=10&issue=26#sID307
4/1/2008 - "...you can make the world a better place by blocking four IP addresses,:
    * 72.232.39.252
    * 195.225.178.21
    * 89.149.243.201
    * 89.149.220.85 ..."

(Once again, please do NOT visit those IPs, just BLOCK them.)

 Shocked
« Last Edit: April 03, 2008, 12:25:05 by AplusWebMaster » Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #19 on: April 06, 2008, 08:04:20 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8233



FYI...

- http://sunbeltblog.blogspot.com/2008/04/google-groups-continues-to-be-inundated.html
April 05, 2008 - "As we’ve seen before, this continues to be a problem on Google Groups: Fake posts pushing porn that pushes malware (fake codecs)... This really needs to get cleaned up. There’s a reason why so many of the threats that we see users getting infected with are invariably fake codec related..."

(...because it works. Screenshots available at the URL above.)

 Shocked Evil or Very Mad
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #20 on: April 07, 2008, 10:46:52 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8233



FYI...

- http://www.trustedsource.org/TS?do=threats&subdo=blog&id=31
April 7, 2008 - "The infamous “Storm worm” is back and now the spam messages contain links to the domain blogspot .com - Google’s Blogger service. The spammed subjects look like “Crazy in love with you“, “I Love Being In Love With You” or “Fallen for you“. The mail body contains just simple short sentences like “I’ll never stope loving you“, “With All My Love” or “Deeply in love with you“, followed by a link to Blogger... When a curious user will follow the lure, he will be presented a Blogger web site like above. An executable file named ‘withlove.exe‘ is linked and downloaded from another fast-fluxing domain... BTW: Storm is not the first malware which invades Blogger. Last year Zlob was also present on many Blogs, waiting to show the infamous missing codec error messages. So be aware..."

 Shocked Exclamation
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #21 on: April 17, 2008, 03:56:14 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8233



FYI...

- http://preview.tinyurl.com/5hq4xc
16 Apr 2008 | SearchSecurity.com - "...The technique of using otherwise legitimate sites to host and deliver malware is an increasingly popular one and has continued to be effective for a number of reasons. Most importantly, users do not expect to find malware on e-commerce, news and entertainment sites that they trust and have been visiting for years. But there's also the problem of finding and removing the malicious pages. It's much easier to isolate and blackhole an entirely malicious site than it is to find and take down one infected page among thousands on a legitimate site. In his analysis of the malware utility, ISC handler Bojan Zdrnja wrote* that after infecting a new site, the program then checks with a remote server in China, possibly to confirm the new infection as part of a pay-per-infection scheme. After that operation, the tool will then connect to Google and use a specific search string to find vulnerable sites..."
* http://isc.sans.org/diary.html?storyid=4294

 Evil or Very Mad
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #22 on: April 17, 2008, 16:15:07 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8233



FYI...

- http://securitylabs.websense.com/content/Blogs/3068.aspx
4.17.2008 - "... research has uncovered a case where a museum's compromised Web server is serving malicious code based on the referrer making the request. A referrer could be, for example, a search engine such as images.google.com. As interesting as the fact that they're doing this, however, is which referrers trigger the delivery of malicious content, when others do not. In this case, the malicious content is served -only- when the referrers for the request are certain high-profile image search sites... For example, if a browser attempted to load a page with the desired image through images.google.com, malicious content was delivered. However, if a normal Google search (www.google.com) was used for the same image with the same URL, the result was the proper page, -without- the malicious redirect. So far, the list of image search sites that are used as affected referrers by the attacker are among the most high-profile image searches on the web:
    * images.google.com
    * images.search.yahoo.com
    * www.altavista.com/image/default
    * search.live.com/images/
... another screenshot of the same page, but with referrer data disabled. This page contains the normal page content, not the malicious code. The decision on what content to send is made on the server, so this attack is browser-independent. Regardless of which browser is used, if the referrer information on the request is one of the affected image search engines, the malicious content is delivered... it seems as though the museum's page has also been compromised with a search engine poisoning attack. Beyond the normal reasons for such a compromise, we can theorize that this may have been done to increase the site's search ranking, making it more likely for its images to come up in a search. As a result, more systems are likely to be infected by the malicious content."

(Screenshots available at the URL above.)

 Shocked
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #23 on: April 17, 2008, 17:57:55 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8233



FYI...

Google Pages Porn Malware Invasion Continues Unabated
- http://sunbeltblog.blogspot.com/2008/04/google-pages-porn-malware-invasion.html
April 17, 2008 - "... Hundreds of thousands of pages, if not over a million. Examples (warning: graphic language)... And there’s also splogs pushing malware, not as porn, but just off of keywords. Here’s a search for “Symantec Download”... file being pushed, setup.exe, is a trojan. Or, let's use the search term “McAfee download”... (I’m not picking on these AV companies, if you do similar searches for Sunbelt products, you’ll hit these types of things as well.) These slimeballs are using all kinds of keywords. Here’s some more, like Blackberry Ringtones and Free Messenger Download, returning spam links... Or how about keeping it simple, and just saying “free download”? Malware!... A large part of this is most certainly caused by bots uploading stuff, breaking the CAPTCHA. They may not break it all the time, but they do break it probably 10% of the time. That’s enough to upload a ton of garbage..."

(Screenshots available at the URL above.)

 Shocked Shocked
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #24 on: May 03, 2008, 12:37:36 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8233



FYI... (now, not "malware", just FRAUD)

- http://www.networkworld.com/news/2008/050208-google-adwords-fuel-new-url.html
05/02/2008 - "Google adwords account holders are being targeted by criminals out to trick them into handing over credit card information using a clever URL spoof that has gained popularity in recent weeks. On the face of it, the scam follows a traditional attack route involving the sending of spam emails to random Internet addresses in the hope of finding users who have purchased adwords. The email claims that the user's account payment has failed and asks them to "update payment information", again a transparent ploy by today's standards... As obvious as this might sound, the unwary might easily be tricked by the convincing http ://adwords .google .com/select/login link embedded in the email, a perfect copy of the correct Google login address. This one, however, actually leads to hxxp ://www .adwords .google .com.XXXX.cn/select/Login [address altered], an obfuscated address that directs to a site associated with IPs in Germany, Romania, and the Czech Republic. The site is a good copy of the real Google adword site, and appears to let users login using their real account details - any account details will work in fact. Entering payment details results in that information being posted using an SSL link to a remote server after which the account will ripped off. The attack has been publicized by security software company Trend Micro*, but the disarmingly simple scam is widespread enough to have been received by ordinary users in recent days..."
* http://blog.trendmicro.com/google-adwords-phishing/
May 1, 2008

 Shocked Shocked
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #25 on: May 27, 2008, 18:15:30 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8233



FYI...

"Dear Google AdWords Customer"
- http://www.f-secure.com/weblog/archives/00001444.html
May 27, 2008 - "Sometimes it can be quite hard to spot a phishing site on the first glance [ see URL used in screenshot at the F-secure site above ]. Sure, it looks quite real. But always doublecheck the address."

 Shocked
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #26 on: June 25, 2008, 06:05:11 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8233



FYI...

- http://preview.tinyurl.com/5cvvdw
June 24, 2008 (Infoworld) - "...Stopbadware.org released data on "badware" Web sites on Tuesday, saying that Google was one of the top five networks responsible for hosting these dangerous Web sites.
The numbers show that China is now a top source of malicious Web sites -- China-based networks hosted more than half of the malicious Web sites tracked by the group -- but Google's appearance on the list is perhaps more remarkable...
A year ago, Google did not appear on Stopbadware.org's list of the top 10 sources of badware, but recently scammers and online criminals have turned to Google's Blogger service to host malicious or spyware-related Web pages... In March, Google was the top badware network tracked by Stopbadware*..."

* http://blogs.stopbadware.org/articles/2008/04/05/infections-stats-for-march-2008
Top Infected IP Addresses

> http://www.stopbadware.org/home/badwebs

 Exclamation Evil or Very Mad
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #27 on: August 16, 2008, 03:20:40 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8233



FYI...

A Million Search Strings to Get Infected
- http://blog.trendmicro.com/a-million-search-strings-to-get-infected/
August 15, 2008 - "...We received several reports from the North American region earlier today about users being victimized by a rogue antispyware, which these users have downloaded after they have somehow been convinced to click on malicious links. These links point to malware that caused overt signs (such as popup balloons and modified wallpapers) to appear in the PC suggesting that the system has indeed been infected. This is not goodwill, though — because downloading the ‘trial version’ only scans the system. To remove the infection the user will have to purchase the entire antispyware for real money. Users may be infected via spammed email messages, spammed instant messages, or even via ads served in social networking sites. Soon enough, we’ve discovered not one but two fake antivirus software. This time the attack is made possible through a mass SEO poisoning involving several compromised Web sites. This development has certainly upped the chances of the rogue antispyware gaining mileage. How does this work? A simple Google/Yahoo! search can lead you to malware-serving site. Search strings such as “changes on the river amazon” or “changes made for mount Pinatubo” will lead you to a malicious Web site. Users who happen to use these strings will find themselves going down the long road of nasty redirections... After all the fake notifications, the user will be asked to download AV2009Install_880488.exe. The other fake antivirus will lead users to hxxp ://scan. free-antispyware-scanner. com ... This will ask the user to download setup_100722_3.exe instead of AV2009Install_880488.exe. (Note that the final agenda for both and most rogue antispyware scams is extortion. Users who fall for this scam pay a certain amount of money to the malware writers to purchase the full version of the fake antispyware.)
According to our investigation, there are about several dozen domains involved that are currently compromised. The hackers were able to upload PHP scripts that contain various text strings designed for SEO poisoning (SEO poisoning is manipulating or influencing the natural page rankings of search results in order to get more hits than a page really deserves). This is not the first time Trend Micro has seen this incident, a previous SEO poisoning of this scale was also discovered December 2007, with SEO poisoning pages hosted on Blogspot. This time around, compromised web sites were used instead. Digging a little bit deeper, we’ve also found out that the hackers have almost 1 million search phrases at their disposal for SEO poisoning. These search phrases covers the range from free downloads, lyrics, travel, politics and anything in between. Malicious sites have “CLICK HERE! ALL INFORMATION!” and “CLICK HERE! WANT TO KNOW MORE ABOUT” as their page titles, so it will be best to avoid clicking through Google/Yahoo! results that have those aforementioned site titles."

(Screenshots available at the TrendMicro URL above.)

 Evil or Very Mad Evil or Very Mad
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #28 on: August 23, 2008, 16:30:02 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8233



FYI...

Continuing problem - malware advertised in Google Adwords
- http://sunbeltblog.blogspot.com/2008/08/continuing-problem-of-malware-being.html
August 23, 2008  - "Google continues to have a problem with malware being advertised in Google Adwords, in this case, for the trojan Antivirus XP 2008... An exacerbating part of the problem, of course, is that Google Adwords are massively syndicated to other sites, including heavy-hitters like CNET, all of whom may unknowingly push malware through these ads. A lot of people can get affected by this type of problem."
(Screenshots available at the URL above.)

- http://sunbeltblog.blogspot.com/2008/08/i-can-resist-irony.html
August 23, 2008 (Yet another Screenshot)

 Shocked Evil or Very Mad
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
« Reply #29 on: November 06, 2008, 10:35:28 »
AplusWebMaster Offline
Global Moderator WWW

Karma: 501
Posts: 8233



FYI...

More Google searches resulting in rogue AV
- http://blog.trendmicro.com/more-google-searches-resulting-in-rogue-av/
Nov. 5, 2008 - "... 2 scenarios resulting (in) rogue AV downloads, also done through hijacking Google search results... In the first scenario, queries for the string refa+zeitaufnahmebogen [related to a German association for work design] on the German Google website (www.google.de) yield suspicious results... Using Wireshark, I’ve found that this was achieved through a redirection to yet another URL entirely... While the first scenario is more of a targeted attack, this next one proves to aim at a wider range of victims, and timely as well considering the US elections. Malicious results were also found generated from queries for the string absentee voting... And of course, this is another work of the FakeAV gang. Clicking the result triggers a series of redirections; however the payload, or the fake AV itself, is not there anymore. The downloaded file has the same name..."

(Screenshots available at the URL above.)

 Evil or Very Mad
Logged

This machine has no brain.
....... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.
 
Pages: 1 [2] 3 4   Go Up
  Print  
 
Jump to:  

Powered by SMF 1.1.19 | SMF © 2013, Simple Machines Page created in 0.609 seconds with 18 queries.