Culture Jamming

[here]

FYI...

- http://preview.tinyurl.com/2db83x
November 27, 2007  (Computerworld) - "A large-scale, coordinated campaign to steer users toward malware-spewing Web sites from Google search results is under way, security researchers said today. Users searching Google with any of hundreds of legitimate phrases -- from the technical "how to cisco router vpn dial in" to the heart-tugging "how to teach a dog to play fetch" -- will see links near the top of the results listings that lead directly to malicious sites hosting a mountain of malware. "This is huge," said Alex Eckelberry, Sunbelt Software's CEO. "So far we've found 27 different domains, each with up to 1,499 [malicious] pages. That's 40,000 possible pages." Those pages have had their Google ranking boosted by crooked tactics that include "comment spam" and "blog spam," where bots inundate the comment areas of sites with links or mass large numbers of them as bogus blog posts. Attackers may be using bots to plug links into any Web form that requests a URL, added Sunbelt malware researcher Adam Thomas. There's no evidence that the criminals bought Google search keywords, however, nor that they've compromised legitimate sites. Instead, they've gamed Google's ranking system and registered their own sites... One site that Thomas encountered tried to install more than 25 separate pieces of malware, including numerous Trojan horses, a spam bot, a full-blown rootkit, and a pair of password stealers. All the malicious code pitched at users is well-known to security vendors, and can only exploit PCs that aren't up-to-date on their patches... Sunbelt's company blog sports screen shots* of several Google search results lists, with malware-infecting sites identified, as well as images of the bogus codec installation dialogs and the code of one of the malicious IFRAMEs."
* http://sunbeltblog.blogspot.com/2007/11/breaking-massive-amounts-of-malware.html

 

[here]

Update:

- http://preview.tinyurl.com/2db83x
"...Users searching Google, Yahoo, Microsoft Live Search and other engines with any of hundreds of legitimate phrases -- from the technical "how to cisco router vpn dial in" to the heart-tugging "how to teach a dog to play fetch" -- will see links near the top of the results listings that lead directly to malicious sites hosting a mountain of malware..."

 

[here]

FYI...

SEO poisoning targeted at Google
- http://sunbeltblog.blogspot.com/2007/11/more-on-massive-seo-poisoning-it-was.html
November 28, 2007 - "As a follow-up to our recent posts*, here’s some additional information. First, we can ring the all-clear bell. Google took action on these domains and you won’t find them anymore in Google (see Java script at URL above)... So. if you use search terms like “inurl” and “site”, you won’t see these malware pages in your results. Clever, since that’s one way for malware researchers to find stuff... And, it only cares if you’re coming from Google..."
* http://sunbeltblog.blogspot.com/2007/11/malware-redirects-aftermath_27.html

> http://isc.sans.org/diary.html?storyid=3700
Last Updated: 2007-11-28 21:07:34 UTC ...(Version: 3) - "UPDATE:  Google for one has cleaned up their database. They are currently no longer returning these .cn pages for the queries affected."

 

[here]

Ongoing...

- http://isc.sans.org/diary.html?storyid=3700
Last Updated: 2007-11-28 23:06:30 UTC ...(Version: 4)
"UPDATE:  Live Search has submitted the changes necessary to yank these URLs from the database."


 

[More Google poisoning on the way?]

FYI...

More Google poisoning on the way?
- http://sunbeltblog.blogspot.com/2007/11/heads-up-more-google-poisoning-on-way.html
November 29, 2007 - "Google has removed the sites responsible for the recent massive Google poisoning* attack. However, we’re seeing indications that another attack may be on the way. We have seen another spate of websites freshly registered, using the similar .cn domains. There seem to be two different groups here... Large amount of fresh .cn domains, with numbered html pages. However, there are apparently two different groups at work here. One we’ll call Type 1 -- which appears to be the same group involved in the prior poisoning. And the other, we'll call Type 2 (sorry, not very original, but we’re working fast here)... Right now, we’re not seeing either site serve exploits, as we saw in the last attack. However, this could change..."

* http://sunbeltblog.blogspot.com/2007/11/more-on-massive-seo-poisoning-it-was.html

 

[here]

FYI...

- http://preview.tinyurl.com/3cgt5k
November 30, 2007  (Computerworld) - "Google is asking everyday Web surfers to help with its efforts to stamp out malicious Web sites. The company has created an online form designed to make it easy for people to report sites they suspect of hosting malicious code. It's the latest step by Google to expand its database of the bad Web sites it knows about, as those sites continue to proliferate. "Currently, we know of hundreds of thousands of Web sites that attempt to infect people's computers with malware. Unfortunately, we also know that there are more malware sites out there," Google's Ian Fette wrote in the company's security blog*..."
* http://googleonlinesecurity.blogspot.com/2007/11/help-us-fill-in-gaps.html

- http://msmvps.com/blogs/spywaresucks/archive/2007/11/30/1371503.aspx
November 30, 2007 - "...(Google) blog entry was published after Sunbelt reported the massive seeding of malicious web sites on Google (which were *not* flagged as dangerous), which was then cleaned up, and before it was reported that nonsense domains were reappearing in Google's search, albeit with (apparently) no malicious content (yet)... The innocent days of the Internet as a wonderous, safe place that all can visit, and learn, and teach and share and explore without fear is gone. The criminals have taken that dream away from us. That is the reality..."

 

[Malware Exploiting Death of Zoey Zane]

FYI...

Malware Exploiting Death of Zoey Zane
- http://sunbeltblog.blogspot.com/2007/12/malware-exploiting-death-of-zoey-zane.html
December 03, 2007- "From the sicko department . . . We have received multiple public reports of attackers using the recent murder of 18 year old college student Emily Sander (AKA "Zoey Zane" in the adult film industry world) as a lure to install malware.
From about.com:
'Dental records have confirmed that a body found near a Kansas highway is missing community college student and Internet porn star Emily Sander, authorities said. An autopsy has been completed, but the results have been sealed and are not available to the media . . . After Sander disappeared, it was discovered that the 18-year-old college student led a double life as "Zoey Zane," a character she played on Internet porn sites.'
Attackers have obtained very good search engine position when looking for information about “Zoey Zane”, and users may be lured into installing an “ActiveX upgrade” or “Flash Player” upgrade in order to view a video. In actuality, this “ActiveX video decoder” or “Flash Player Upgrade” is a Trojan that installs a Browser Helper Object (BHO) which produces fake pop-up messages and modifies search engine results in an attempt to install the Rogue Software IE Defender..."

(Screenshots available at the URL above.)

 

[here]

FYI...

- http://www.reuters.com/article/technologyNews/idUSL191003420071219
Dec 19, 2007 - "Advertisements placed by Google in Web pages are being hijacked by so-called trojan software that replaces the intended text with ads from a different provider, Romanian antivirus company BitDefender says*. The trojan redirects queries meant to be sent to Google servers to a rogue server, which displays ads from a third party instead of ads from Google, BitDefender said in a statement... Google said on Wednesday: "We have cancelled customer accounts that display ads redirecting users to malicious sites or that advertise a product violating our software principles." "We actively work to detect and remove sites that serve malware in both our ad network and in our search results. We have manual and automated processes in place to detect and enforce these policies." The trojan, named after the mythic Trojan Horse because of its ability to enter computer systems undetected, attacks Google's AdSense service, which targets advertisements to match Web page content..."

* http://preview.tinyurl.com/2jp2k9
December 18, 2007 (Bitdefender) - "...The modified file contains a line redirecting the host "page2.googlesyndication.com" which should point to an IP of the form 6x.xxx.xxx.xxx to a different address, of the form 9x.xxx.xxx.xxx, so that the infected machines' browsers read ads from server at the replacement address rather than from Google..."
- http://www.bitdefender.com/VIRUS-1000239-en--Trojan.Qhost.WU.html

 

[here]

FYI...

Fake codecs on Blogger
- http://sunbeltblog.blogspot.com/2007/12/fake-codecs-on-blogger.html
December 26, 2007 - "Fake codec trojans (so-called “required” components to watch a video, but in fact are malicious trojans) are a plague on the Internet. We’ve written about them extensively. Often, they are seen in porn sites. However, by doing a few simple searches today, we can see that they’re available to those simply doing American football pools, checking bank hours or searching for New Year’s eve clipart. All of these are taking advantage of the free Blogger service... these sites are pushing real trojans. Please don’t go there if unless you know what you’re doing... I wouldn't put this in the same league as the massive Google poisoning we saw last month. That was an epic attack, using exploits and all kinds of nasty tricks. However, this is something to be aware of, and hopefully the good folks at Google will take them down lickety-split..."

(Screenshots available at the URL above.)

 

[Malicious Code: Attackers Exploiting News of Benazir Bhutto Assassination]

FYI...

Malicious Code: Attackers Exploiting News of Benazir Bhutto Assassination
- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=834
December 27, 2007 - "Websense Security Labs has discovered malicious Web sites attempting to capitalize on the breaking news of the assassination of Benazir Bhutto. These sites attempt to infect users seeking more information about the event. This activity is similar to past news events, where attackers used malicious sites containing information about the event to infect visitors. In this case, the first infected site found by Websense Security Labs was the second result in a Google search using a generic and simple keyword. Therefore, the site likely to receive large amounts of traffic. Clicking on the link in the search results did not trigger a warning from Google that the site may be malicious..."

(Screenshot available at the URL above.)

- http://blog.trendmicro.com/bhutto-assassination-javascripted/
December 27, 2007 - "...one of the sites in question indeed has an embedded malicious JavaScript redirect..."

 

[Google Blogger]

FYI...

Attackers Abuse Google Blogger
Blogger is flooded with phony blogs – including some that inject malware
- http://www.darkreading.com/document.asp?doc_id=144171&print=true
JANUARY 25, 2008 - "Hackers are currently littering Google's Blogger site with phony blogs -- some containing malware, pornographic images, or pure spam. "Google Blogger is being used as a malware delivery mechanism," says Ken Steinberg, CTO and president of Savant Protection, who discovered the attack while working on his own blog this morning. The attackers apparently are automatically generating the blogs with scripts. The blogs come with nonsensical names and content that's obviously been generated using English-compliant engines and keyword focuses, he says. "They've upped the game. Mostly [blog attacks] have been through comments or postings," he says. Steinberg noted that some of the fake blogs were using malware-insertion techniques: "One of the more common ways of inserting malware is using overflow techniques found in movie [viewers]... When you click through a few of these blogs, up pops images set to auto-load -- some are images, some are movies" that can infect a visitor with malware, he says. Google says it's investigating the event..."

- http://preview.tinyurl.com/2v59aq
January 25, 2008 (Computerworld) - "...The spammers have borrowed other malware techniques, too. Just as some recent attacks have been launched using frequently changing JavaScript, the redirect code placed on the Google Pages or on blogs may fluctuate depending on the originating spam message. The scams are also using fast-flux techniques to rapidly change the resolving destinations of the links.."

 

[Heath Ledger]

FYI...

- http://blog.trendmicro.com/seo-manipulation-begins-for-super-bowl-malware-campaign/
January 24, 2008 - "Cyber criminals who took advantage of Hollywood actor Heath Ledger’s death* are at it again, this time attempting to lure unsuspecting Super Bowl fans. When users search for “Superbowl,” Google search results turn up the following (links to malware)... what’s interesting in this case is that the malicious URLs are once again found in the servers of the Czech hosting provider believed to be hacked. Our analysts have been in contact with CERT CZ and the Czech hosting provider but the malicious codes are still present as of this writing..."
* http://blog.trendmicro.com/compromised-sites-heath-it-up/

(Screenshots available at both URLs above.)

I.E: http://www.cnet.com/8301-13554_1-9856450-33.html?tag=head
"...A client of mine is often in the news, so I watch for articles using Google Alerts. Once a day, I'm sent an email listing the new web pages Google found that contain my client's name. After doing this for well over a year without incident, Google today included a malicious web page in the list of those referencing my client. The page tried to install malicious software on my computer..."

 

[Search Engine Spam increasing]

FYI...

Search Engine Spam increasing
- http://www.messagelabs.com/intelligence.aspx
MessageLabs Intelligence (PDF report): January 2008 - "...much of this type of spam in recent weeks has also revealed a significant hike in the proportion of spam abusing search engine redirects. Typically Google and Yahoo search engines have been used in these spams. Search engine spam accounts for 17% of spam in January and has been in circulation for only a few weeks. Search engine spam is a technique that allows the spammer to include a link constructed from a search engine query in an email message. When followed, the link will resolve in the spammer’s forged web site. This means that the spammers can send messages without directly mentioning the spam website, which makes it difficult for traditional anti-spam products to detect the malicious link. While they may recognize known spam sites, they cannot reasonably block links to legitimate search engine sites. eBay recently instituted some changes to circumvent this type of attack method... the link in the email passes some special parameters to the Google search engine, using the inURL: keyword (which focuses the search only on the domain listed), and the BtnI= keyword (typically used by the “I’m feeling Lucky” button on Google)..."

 

[Google blog used to spread malware]

FYI...

Google blog used to spread malware
- http://www.networkworld.com/news/2008/013108-attacker-google-blog.html
01/31/08 - "A Google-hosted blog is running phony security content that's linked to malware, as well as using Google's automated notification service to try to entice subscribers to click on an infected link, says one security expert. To trick readers looking for information related to legitimate security products, the blog - which has been spotted working under the name "Brittany" - has copied content related to security vendors Symantec, Trend Micro and Aladdin Knowledge Systems, says Ofer Elzam, director of product management in Aladdin's eSafe division... Google states in its usage policy that "Google does not monitor the contents of Blogger.com and Blogspot.com, and takes no responsibility for such content. Instead, Google merely provides access to such content as a service to you"..."

 

[All Your iFrame Are Point to Us]

FYI...

All Your iFrame Are Point to Us (from the Google Anti-Malware Team)
- http://googleonlinesecurity.blogspot.com/2008/02/all-your-iframe-are-point-to-us.html
February 11, 2008 - "...In the past few months, more than 1% of all search results contained at least one result that we believe to point to malicious content and the trend seems to be increasing... Some malware distribution sites had as many as 21,000 regular web sites pointing to them. We also found that the majority of malware was hosted on web servers located in China. Interestingly, Chinese malware distribution sites are mostly pointed to by Chinese web servers. We hope that an analysis such as this will help us to better understand the malware problem in the future and allow us to protect users all over the Internet from malicious web sites as best as we can. One thing is clear - we have a lot of work ahead of us."