Search Engine Poisoning - archive

[AplusWebMaster]

FYI...

- http://www.websense.com/securitylabs...php?BlogID=116
Mar 26 2007 ~ "Search Engine Poisoning is a topic that we have have researched at some length. We discussed the topic briefly in an October blog post: Search Engine Typosquatting*. Our previous research focused on malicious URLs in search engine results from misspelled search terms; it was far less common to discover malicious content for legitimate search terms. In early March, a report from Sunbelt** demonstrated Microsoft Windows Live Search™ Italy returning exploit sites for extremely common search terms. Doing some additional research of our own, we performed searches for the names of financial companies, well-known banks, and lenders. The results were alarming. Many of the URLs in the search results linked to malicious sites capable of silently compromising the visitor..."

(More detail and screenshots at the URL above.)


* http://www.websense.com/securitylabs....php?BlogID=88

** http://sunbeltblog.blogspot.com/2007...-searches.html

[AplusWebMaster]

FYI...

- http://www.siteadvisor.com/studies/s...safety_may2007
June 4, 2007 ~ "...Key Findings
* Overall, 4.0% of search results link to risky Web sites, which marks an improvement from 5.0% in May 2006. Dangerous sites are found in search results of all 5 of the top US search engines (representing 93% of all search engine use).
* The improvement in search engine safety is primarily due to safer sponsored results. The percentage of risky sites dropped from 8.5% in May 2006 to 6.9% in May 2007. However, sponsored results still contain 2.4 times as many risky sites as organic results.
* AOL returns the safest results: 2.9 % of results rated red1 or yellow2 by McAfee SiteAdvisor. At 5.4%, Yahoo! returns the most results rated red or yellow.
* Google, AOL, and Ask have become safer since May 2006, with Ask exhibiting the greatest improvement. The safety of search results on Yahoo! and MSN has declined..."

(Graphics available at the URL above.)


.

[AplusWebMaster]

FYI...

- http://preview.tinyurl.com/2db83x
November 27, 2007 (Computerworld) - "A large-scale, coordinated campaign to steer users toward malware-spewing Web sites from Google search results is under way, security researchers said today. Users searching Google with any of hundreds of legitimate phrases -- from the technical "how to cisco router vpn dial in" to the heart-tugging "how to teach a dog to play fetch" -- will see links near the top of the results listings that lead directly to malicious sites hosting a mountain of malware. "This is huge," said Alex Eckelberry, Sunbelt Software's CEO. "So far we've found 27 different domains, each with up to 1,499 [malicious] pages. That's 40,000 possible pages." Those pages have had their Google ranking boosted by crooked tactics that include "comment spam" and "blog spam," where bots inundate the comment areas of sites with links or mass large numbers of them as bogus blog posts. Attackers may be using bots to plug links into any Web form that requests a URL, added Sunbelt malware researcher Adam Thomas. There's no evidence that the criminals bought Google search keywords, however, nor that they've compromised legitimate sites. Instead, they've gamed Google's ranking system and registered their own sites... One site that Thomas encountered tried to install more than 25 separate pieces of malware, including numerous Trojan horses, a spam bot, a full-blown rootkit, and a pair of password stealers. All the malicious code pitched at users is well-known to security vendors, and can only exploit PCs that aren't up-to-date on their patches... Sunbelt's company blog sports screen shots* of several Google search results lists, with malware-infecting sites identified, as well as images of the bogus codec installation dialogs and the code of one of the malicious IFRAMEs."
* http://sunbeltblog.blogspot.com/2007...f-malware.html
----------------------

Update:
- http://preview.tinyurl.com/2db83x
"...Users searching Google, Yahoo, Microsoft Live Search and other engines with any of hundreds of legitimate phrases -- from the technical "how to cisco router vpn dial in" to the heart-tugging "how to teach a dog to play fetch" -- will see links near the top of the results listings that lead directly to malicious sites hosting a mountain of malware..."

[AplusWebMaster]

FYI...

SEO poisoning targeted at Google
- http://sunbeltblog.blogspot.com/2007...ng-it-was.html
November 28, 2007 - "As a follow-up to our recent posts*, here’s some additional information. First, we can ring the all-clear bell. Google took action on these domains and you won’t find them anymore in Google (see Java script at URL above)... So. if you use search terms like “inurl” and “site”, you won’t see these malware pages in your results. Clever, since that’s one way for malware researchers to find stuff... And, it only cares if you’re coming from Google..."
* http://sunbeltblog.blogspot.com/2007...ermath_27.html

> http://isc.sans.org/diary.html?storyid=3700
Last Updated: 2007-11-28 21:07:34 UTC ...(Version: 3) - "UPDATE: Google for one has cleaned up their database. They are currently no longer returning these .cn pages for the queries affected."

[AplusWebMaster]

Ongoing...

- http://isc.sans.org/diary.html?storyid=3700
Last Updated: 2007-11-28 23:06:30 UTC ...(Version: 4)
"UPDATE: Live Search has submitted the changes necessary to yank these URLs from the database."

[AplusWebMaster]

FYI...

More Google poisoning on the way?
- http://sunbeltblog.blogspot.com/2007...ng-on-way.html
November 29, 2007 - "Google has removed the sites responsible for the recent massive Google poisoning* attack. However, we’re seeing indications that another attack may be on the way. We have seen another spate of websites freshly registered, using the similar .cn domains. There seem to be two different groups here... Large amount of fresh .cn domains, with numbered html pages. However, there are apparently two different groups at work here. One we’ll call Type 1 -- which appears to be the same group involved in the prior poisoning. And the other, we'll call Type 2 (sorry, not very original, but we’re working fast here)... Right now, we’re not seeing either site serve exploits, as we saw in the last attack. However, this could change..."

* http://sunbeltblog.blogspot.com/2007...ng-it-was.html

[AplusWebMaster]

FYI...

- http://preview.tinyurl.com/3cgt5k
November 30, 2007 (Computerworld) - "Google is asking everyday Web surfers to help with its efforts to stamp out malicious Web sites. The company has created an online form designed to make it easy for people to report sites they suspect of hosting malicious code. It's the latest step by Google to expand its database of the bad Web sites it knows about, as those sites continue to proliferate. "Currently, we know of hundreds of thousands of Web sites that attempt to infect people's computers with malware. Unfortunately, we also know that there are more malware sites out there," Google's Ian Fette wrote in the company's security blog*..."
* http://googleonlinesecurity.blogspot...l-in-gaps.html

- http://msmvps.com/blogs/spywaresucks...0/1371503.aspx
November 30, 2007 - "...(Google) blog entry was published after Sunbelt reported the massive seeding of malicious web sites on Google (which were *not* flagged as dangerous), which was then cleaned up, and before it was reported that nonsense domains were reappearing in Google's search, albeit with (apparently) no malicious content (yet)... The innocent days of the Internet as a wonderous, safe place that all can visit, and learn, and teach and share and explore without fear is gone. The criminals have taken that dream away from us. That is the reality..."

[AplusWebMaster]

FYI...

Malware Exploiting Death of Zoey Zane
- http://sunbeltblog.blogspot.com/2007...zoey-zane.html
December 03, 2007- "From the sicko department . . . We have received multiple public reports of attackers using the recent murder of 18 year old college student Emily Sander (AKA "Zoey Zane" in the adult film industry world) as a lure to install malware.
From about.com:
'Dental records have confirmed that a body found near a Kansas highway is missing community college student and Internet porn star Emily Sander, authorities said. An autopsy has been completed, but the results have been sealed and are not available to the media . . . After Sander disappeared, it was discovered that the 18-year-old college student led a double life as "Zoey Zane," a character she played on Internet porn sites.'
Attackers have obtained very good search engine position when looking for information about “Zoey Zane”, and users may be lured into installing an “ActiveX upgrade” or “Flash Player” upgrade in order to view a video. In actuality, this “ActiveX video decoder” or “Flash Player Upgrade” is a Trojan that installs a Browser Helper Object (BHO) which produces fake pop-up messages and modifies search engine results in an attempt to install the Rogue Software IE Defender..."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

- http://www.reuters.com/article/techn...91003420071219
Dec 19, 2007 - "Advertisements placed by Google in Web pages are being hijacked by so-called trojan software that replaces the intended text with ads from a different provider, Romanian antivirus company BitDefender says*. The trojan redirects queries meant to be sent to Google servers to a rogue server, which displays ads from a third party instead of ads from Google, BitDefender said in a statement... Google said on Wednesday: "We have cancelled customer accounts that display ads redirecting users to malicious sites or that advertise a product violating our software principles." "We actively work to detect and remove sites that serve malware in both our ad network and in our search results. We have manual and automated processes in place to detect and enforce these policies." The trojan, named after the mythic Trojan Horse because of its ability to enter computer systems undetected, attacks Google's AdSense service, which targets advertisements to match Web page content..."

* http://preview.tinyurl.com/2jp2k9
December 18, 2007 (Bitdefender) - "...The modified file contains a line redirecting the host "page2.googlesyndication.com" which should point to an IP of the form 6x.xxx.xxx.xxx to a different address, of the form 9x.xxx.xxx.xxx, so that the infected machines' browsers read ads from server at the replacement address rather than from Google..."
- http://www.bitdefender.com/VIRUS-100....Qhost.WU.html

[AplusWebMaster]

FYI...

Fake codecs on Blogger
- http://sunbeltblog.blogspot.com/2007...n-blogger.html
December 26, 2007 - "Fake codec trojans (so-called “required” components to watch a video, but in fact are malicious trojans) are a plague on the Internet. We’ve written about them extensively. Often, they are seen in porn sites. However, by doing a few simple searches today, we can see that they’re available to those simply doing American football pools, checking bank hours or searching for New Year’s eve clipart. All of these are taking advantage of the free Blogger service... these sites are pushing real trojans. Please don’t go there if unless you know what you’re doing... I wouldn't put this in the same league as the massive Google poisoning we saw last month. That was an epic attack, using exploits and all kinds of nasty tricks. However, this is something to be aware of, and hopefully the good folks at Google will take them down lickety-split..."

(Screenshots available at the URL above.)