Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

ALERT: More potentially dangerous web sites hitting Google search

November 29th 2007 in Uncategorized

You may recall that Alex Eckelberry alerted us to a massive seeding of Google and other Web searches with malicious web sites.  Google and the other sites, to their credit, certainly cleaned things up very quickly, and the incident quickly hit the popular press.

Sadly, it seems that Google, although they reacted quickly to the last incident, have seemingly not found a way to counter the basic problem, because Alex and Adam have reported that they are seeing signs of another attempt to infiltrate search results. Alex and Adam note that the sites are not dangerous at the moment, but of course that could change.

While we’re on the topic of malicious searches, TrendMicro’s team pointed out a new behaviour that all of us need to keep in mind when investigating these outbreaks.  Trend say that:

However, there is a little catch for us security researchers. We now look at the “if” statement where it relies on the “document.referrer” function. The code tells that in order for the “eval” function to be executed, the page where the user visited before arriving on the malicious Web page should be a page containing Google search results. Also, the search string used by the user must not have the “inurl:” and “site:” Google search functions. Thus, direct visit or access of the malicious site will not trigger the evil script and not redirect us to the site hosting the malicious binary file.

For security reseachers developing tools to automate the capture of the malicious files found on Web threats, this is something to consider. It is clear that this is a limitation for tools designed to directly access the malicious site aiming to capture the malicious files. The affected tools include honeyclients, Web crawlers, and downloaders.

You may recall my previous advice about this problem which is to pay close attention to the links that are being offered, and avoid anything that just doesn’t look right, and certainly to avoid ‘nonsense’ domains.  If you look at the latest Sunbelt shots, one of the sites is “pavtd.com.cn” which, at least according to the quick straw poll I just conducted, would not ring alarm bells for the average user.  Apparently it’s “not nonsensical enough”.


3 comments to...
“ALERT: More potentially dangerous web sites hitting Google search”

foster LAMB

I hope that my message got through I expect an acknowledgement and / or at least the clearing of my send info so that I do not wonder ?


So now these lovely folks at Sunbelt are going to have our search results censored so we only see what Google thinks we should see? I think Sunbelt doth protest too much – don’t they sell an anti-spyware product that lags behind PC Tool’s Spyware Doctor and Webroot’s SpySweeper at a distant #3 or worse. I think these yeckels are just trying to sell whatever the name of their anti-spyware. If they wrote for the print media they’d be in the National Enquirer.

Don’t people know that .cn means China? This crap is getting out-of-hand. People trying to sell software, who are sensationalists, trying to protect the morons who click before they think.

They keep writing their goofy articles long enough and enough knuckleheads like this site, ZDNET, CNET, etc. pick up the articles, maybe Sunbelt will rise from a second-rate software company to the level of Symantec. Isn’t that something to aspire to?


Oh please, Tiagara.
1. Google already censors what you see. Sometimes for their own purposes, sometimes because they’ve been required to by legal judgements. Don’t ever assume that Google or any other search engine gives you the whole web.
2. The sites being discovered here are not questionable sites or dubious sites, or sites that have a political axe to grind with which Google disagrees. These are sites whose sole purpose is to get listed on Google and to distribute malicious software. Google’s not yet approached the gray fuzzy part of the line on blocking these sites.
3. You seem to be under the impression that Google is blocking all .cn addresses in search results. That’s not the case. They are blocking sites that serve up malicious software as a result of seeding the search engine with terms designed to match users’ queries. It just so happens that most of these sites are hosted in the .cn TLD – so the usual rule of thumb applies: if you don’t have any reason to go to Chinese web sites, don’t take the notably increased risk.

Important note: These reports are unconfirmed.
A person has posted a comment to my blog warning that they experienced a redirect while using Hotmail aka Windows Live Mail – you can read the comment here:http://msmvps.com/blogs/spywaresucks/archive/2007/11/08/1287908.aspx#1369705
Earlier this month I spotted a similar complaint affecting MSN Groups:http://groups.msn.com/ArtifactsofMars/general.msnw?action=get_message&mview=1&ID_Message=568
I’ve notified the appropriate parties about both of these reports, but am interested to […]

Previous Entry

When you view a Web page by using Microsoft Internet Explorer 6, a GIF image that is located on the Web page appears as expected. However, if you press F5 to update the display, or if you click Refresh to update the display, the GIF image no longer appears. Instead, a red “X” appears as […]

Next Entry