NOW READ THIS
("Security Advisory")
Submitted by: Bill Hickey
NCVA List Master
NRT-0428 Operations Point Google Users to Malicious Web Sites:
Criminal cyber operations have been set up to get Google to point searchers to malicious
web sites with the help of legitimate, but subverted sites such as ZDNet Asia and TorrentReactor.
As a result, at least 20,000 Google search results that appeared to lead to pages on the Asian
version of ZDNet and the BitTorrent tracker site actually directed end users to sites that
attempted to install malware.
The operation, which was first documented by Dutch researcher Dancho Danchev, takes advantage
of the practice by ZDNet Asia and many other sites of caching search queries typed into their
search boxes. The terms are then indexed by Google and other search engines and included in
the results they return. Exploiting this concept is as easy as typing popular search terms
into a popular web site along with the text of an IFRAME pointing to a malicious web site.
Over time, the strings will be included in the results returned by Google and others.
In the second half of 2007, 51% of sites hosting malware were legitimate destinations that
had been compromised, as opposed to sites specifically set up by criminals, according to
security firm Finjan. In the case here, neither ZDNet Asia nor TorrentReactor were compromised,
although the criminals were clearly taking advantage of their strong page ranking and the
trust that many end users have in them.
The injected IFRAME redirects unwitting users to sites associated with the Russian Business
Network, F-Secure says. The sites try to install malicious programs with names including XP
AntiVirus 2008 and Spy Shredder Scanner.
The perpetrators of these operations are also notable for the care they have taken to cover their
tracks. The malicious sites will only infect users who click on the link as it is returned
from Google or another major search engine. Client-side honeypots or security researchers who
merely type the address into a browser will receive an error message indicating the site is
unavailable.
(www.theregister.co.uk 06MAR08)