Hackers Rig Google to Deliver Malware

image
Illustration: Tomer Hanuka
If last November you googled one of thousands of innocuous and common search terms, such as "Microsoft excel to access" or "how to teach your dogs to fetch," you were in line for an Internet attack that infects PCs with spam senders, password stealers, and other kinds of nasty malware.

Beginning on November 24 and continuing for less than a week, bad guys loaded up more than 40,000 Web pages with malicious software and thousands of common search terms. They then employed an automated network of malware-infected computers--known as a botnet--to link to those sites in blog-comment spam and other places. The mentions elevated the position of the poisoned sites in search results, often to the first page.

Click Here for Free Attack

The malicious sites had no useful information. Instead, a simple click on a link to such a site in the search results was enough to launch attacks against your PC. If the attack found any of a number of vulnerabilities in a range of programs, it would load.

"This was a massive wave," says Alex Eckelberry, president and CEO of security firm Sunbelt Software.

The attack marks a new level of sophistication, using multiple techniques to raise site visibility in search results and deliver malware to a mass audience.

The careful eye of Sunbelt researcher Adam Thomas spotted the attack, which targeted common search terms (as highlighted).
The careful eye of Sunbelt researcher Adam Thomas spotted the attack, which targeted common search terms (as highlighted).
Sunbelt researcher Adam Thomas happened upon the attack when he ran a search of "netgear ProSafe DD-WRT" for router firmware. His trained eye saw a suspicious-looking result on the first page. More research and digging on other phrases turned up the vast array of attack sites.

None of the sites from this wave, or a smaller follow-up group, appear now on Google, and Eckelberry and other experts believe the search giant has blocked those specific domains. But Google isn't saying what it did to stop this attack, or whether measures are in place to halt a recurrence.

Game On: Google Bombed

This massive attack had three notable features that point to the sophistication and planning behind it. The first is the culprits' use of botnets to push a dark form of SEO (search-engine optimization), called a "Google bomb," to boost their sites' Google rankings.

"They did an extraordinary job optimizing the search results using the bots," Eckelberry says.

Second, the poisoned sites carried JavaScript code on their pages designed to stop visitors coming via other search engines from being attacked--only visitors who came through a Google search were hit.

"[This trick was a] way of flipping the finger at Google," says Eckelberry. Experts don't know the motive behind directing the attacks at Google users, but online crooks have targeted specific sites and companies in the past when they felt threatened. Google recently launched an online form for reporting a site that Web users believe might contain malware.

Third, the manipulated pages carried code that kept the attack sites from appearing in results if the entered search term included certain expressions that security researchers commonly use. For example, Eckelberry had recently written about using "inurl" and "site," two of the singled-out terms.

Despite Google's steps to eliminate the impact of comment spam on its search result rankings, the use of SEO techniques is growing in the online criminal underground. And bad guys don't employ the trick just to infect people's PCs. WhiteHat Security chief Jeremiah Grossman says that whoever hacked Al Gore's Web site recently added a link that could be seen only in the site's source code.

The link, which pointed to an online pharmacy site, was designed to give the drug site more relevance. Grossman says that, according to underground contacts, the top result for "buy Viagra online" is worth about $50,000 a month.

How to Search Safely

Though this attack was crafty and effective, security experts say there's no need to stop using Google, as long as you take some precautions. Most important: Keep your software patched and up-to-date. The attack sites used a programming kit called the "404 exploit framework," which hits known software vulnerabilities, says Roger Thompson, president of security software maker Exploit Prevention Labs. You can close most of the targeted holes by enabling the automatic-update features for Microsoft Windows, Mozilla Firefox, Apple QuickTime, and other critical software, but you should also update to the latest version of WinZip, a targeted program that doesn't have an auto-update feature.

And don't let your guard down just because your software is current. Attack sites will often employ social-engineering tricks when they can't worm into your PC through software holes. On its blog, Sunbelt provides an image of a common attack pop-up that attempts to trick you into installing a fake video codec that then tries to exploit a vulnerable PC. Your sharp eye can also catch many of these bogus results before you click. Watch for seemingly garbled text such as "vpn passthrough sting maphack light Motorola" in the text snippet shown for each search result. If the listing is for an oddly named page such as "leuwusxrijke.cn/769.html," it could very well be a land mine.

Free downloads such as McAfee's SiteAdvisor and Exploit Prevention Labs' LinkScanner Lite identify potentially dangerous search results with small icons. And the leading commercial security software suites offer browser protection. Keep a close eye on what you click on, too, and you'll keep search paranoia at bay, as Eckelberry has. "I'm a Google fanatic," he says. "I haven't stopped using Google because of this."

Subscribe to the Security Watch Newsletter

Comments