Hackers Rig Google to Deliver Malware

image
Illustration: Tomer Hanuka
If last November you googled one of thousands of innocuous and common search terms, such as "Microsoft excel to access" or "how to teach your dogs to fetch," you were in line for an Internet attack that infects PCs with spam senders, password stealers, and other kinds of nasty malware.

Beginning on November 24 and continuing for less than a week, bad guys loaded up more than 40,000 Web pages with malicious software and thousands of common search terms. They then employed an automated network of malware-infected computers--known as a botnet--to link to those sites in blog-comment spam and other places. The mentions elevated the position of the poisoned sites in search results, often to the first page.

Click Here for Free Attack

The malicious sites had no useful information. Instead, a simple click on a link to such a site in the search results was enough to launch attacks against your PC. If the attack found any of a number of vulnerabilities in a range of programs, it would load.

"This was a massive wave," says Alex Eckelberry, president and CEO of security firm Sunbelt Software.

The attack marks a new level of sophistication, using multiple techniques to raise site visibility in search results and deliver malware to a mass audience.

The careful eye of Sunbelt researcher Adam Thomas spotted the attack, which targeted common search terms (as highlighted).
The careful eye of Sunbelt researcher Adam Thomas spotted the attack, which targeted common search terms (as highlighted).
Sunbelt researcher Adam Thomas happened upon the attack when he ran a search of "netgear ProSafe DD-WRT" for router firmware. His trained eye saw a suspicious-looking result on the first page. More research and digging on other phrases turned up the vast array of attack sites.

None of the sites from this wave, or a smaller follow-up group, appear now on Google, and Eckelberry and other experts believe the search giant has blocked those specific domains. But Google isn't saying what it did to stop this attack, or whether measures are in place to halt a recurrence.

Subscribe to the Security Watch Newsletter

Comments