November 17, 2009, 7:08 PM — I like Google a lot. I couldn't live without it. Heck, I even found a way to find flu vaccines on it the other day. But, that doesn't mean I trust its results unconditionally. That's a good thing. Cyber security research firm, Cyveillance has discovered that more than 200,000 Web sites have been infected with a new way to deliver malware via Google search results.
According to Cyveillance, here's how it works. First a blog site is compromised. Often these are sites using out of date versions of the popular online photo gallery software Coppermine. For the most part, these are real, but neglected, blogs who users are no longer keeping them up or they'd notice something fishy was going on.
Once compromised these blogs start automatically publishing bogus posts. These posts are crudely SEOed (search engine optimized) images with minimal text. It's not the page's content that's compromised though. It's the blog's templates that frame the images. Google then, in good faith, indexes these pages for you to find them.
When you visit the site, from a Google search result, you're quickly redirected to a fake anti-virus software drop sites. There, if you have a Windows system that doesn't have current anti-virus protection installed, the rogue site will try to install a fake security program, Inst_58s6.exe. It does this by telling you that you have a virus infection and you must install this program to be safe. We've seen this kind of scareware pop up before even on sites as well-known as the New York Times.
What I find especially interesting about this nasty little program is that if you were go straight to the site's page, say by copying the URL into the browser, you won't end up at the bogus site. Instead, you'll go to the fake, but not-infected, Web page. It does this by checking your HTTP referrer. The referrer is used to determine exactly how it is that you got to the page. If you're not coming there by way of Google--or from some other search engines such as AltaVista, Baidu, or Yahoo--it lets you go through without being redirected.
Of course, the only person who's likely to do that is the Webmaster trying to figure out what's wrong with his or her site. Unless, they're being careful about how checking up on their site, they'll never figure it out.
Why would someone go to all this trouble to infect hundreds of thousands of sites to deliver such a sad little package of malware? Well, you see it's not that much trouble. A program searches for sites without up-to-date software, infects them, and then they start automatically starts generating the bogus pages on their own.
The botnet masters just needs to keep creating new sites to hold the malicious payload as needed, and then, after they infect enough Windows PCs, they can use the compromised computers for nastier purposes starting with spreading more malware and eventually stealing valuable financial data from your computer.
The solution, as always, is to keep your anti-virus software up to date, and always keep it on. Never assume that even a totally boring and innocuous Google search is safe. Google tries to mark sites as being suspicious, but in this case, perhaps because the cracked sites themselves just pass you through to the truly malicious site, Google hasn't been able to catch them yet. I have no doubt that Google will get it right. But, in the meantime, keep your defenses up!
