Viral web infection siphons ad dollars from Google
Only getting bigger
A compromise that is moving virally across websites is making unwitting people who surf to them part of a botnet that redirects Google search results, a security researcher has warned.
During the past week, the number of websites identified as infected have almost tripled, according to researcher Mary Landesman with real-time malware scanning specialist ScanSafe tracking the attacks since March. Normally, web compromises die out after a few weeks, as search engines and anti-virus programs grow wise to them. But that's not happening this time.
"The growth rate is very unusual for this type of compromise, and the fact that it's escalating so quickly is what has us concerned," Landesman told The Reg.
The goal of the malware appears to be to siphon dollars away from Google's highly profitable advertising franchises. By injecting ads and links into certain searches, infected users see results that are different than they would otherwise be.
The longevity of the mass compromise speaks to the resourcefulness of the attackers. When they first set out, they dropped static attack code into PHP, HTML and other scripts of infected websites, but in time, website owners learned how to detect and remove the infection. The miscreants soon started a second wave of attacks that installed dynamically generated malware on infected sites as soon as the static script was removed.
I work for a fairly large hosting provider and we're seeing it here too.
Interestingly, we're also seeing a .htaccess being dropped into the root ftp folder which attempts to perform various redirects, set (compromised) custom error docs and calls some perl scripts.
Ammusingly they don't upload the error docs, scripts and their .htaccess is malformed, which simply took the sites offline instead. If the error docs had been correctly uploaded then they'd have spread via the 500 internal server errordoc though.
The reason I mention it is because it's from the same 'straight-in' access from compromised FTP accounts. I cleared out about 15 infections yesterday - of which all logged in first time with the right details.
Not just Foxit, there are a host of alternatives, for Windows and non-Windows alike. KPDF is what comes preinstalled on my OS/distro of choice.
is it me or does anyone else see the hand of...
..Kvnt Eurtgruel in this?