Attack infects PCs with spam senders, password stealers, and other kinds of nasty malware If last November you googled one of thousands of innocuous and common search terms, such as “Microsoft excel to access” or “how to teach your dogs to fetch,” you were in line for an Internet attack that infects PCs with spam senders, password stealers, and other kinds of nasty malware. Beginning on November 24 and continuing for less than a week, bad guys loaded up more than 40,000 Web pages with malicious software and thousands of common search terms. They then employed an automated network of malware-infected computers–known as a botnet–to link to those sites in blog-comment spam and other places. The mentions elevated the position of the poisoned sites in search results, often to the first page. Click Here for Free Attack The malicious sites had no useful information. Instead, a simple click on a link to such a site in the search results was enough to launch attacks against your PC. If the attack found any of a number of vulnerabilities in a range of programs, it would load. “This was a massive wave,” says Alex Eckelberry, president and CEO of security firm Sunbelt Software. The attack marks a new level of sophistication, using multiple techniques to raise site visibility in search results and deliver malware to a mass audience. Sunbelt researcher Adam Thomas happened upon the attack when he ran a search of “netgear ProSafe DD-WRT” for router firmware. His trained eye saw a suspicious-looking result on the first page. More research and digging on other phrases turned up the vast array of attack sites. None of the sites from this wave, or a smaller follow-up group, appear now on Google, and Eckelberry and other experts believe the search giant has blocked those specific domains. But Google isn’t saying what it did to stop this attack, or whether measures are in place to halt a recurrence. Game On: Google Bombed This massive attack had three notable features that point to the sophistication and planning behind it. The first is the culprits’ use of botnets to push a dark form of SEO (search-engine optimization), called a “Google bomb,” to boost their sites’ Google rankings. “They did an extraordinary job optimizing the search results using the bots,” Eckelberry says. Second, the poisoned sites carried JavaScript code on their pages designed to stop visitors coming via other search engines from being attacked–only visitors who came through a Google search were hit. “[This trick was a] way of flipping the finger at Google,” says Eckelberry. Experts don’t know the motive behind directing the attacks at Google users, but online crooks have targeted specific sites and companies in the past when they felt threatened. Google recently launched an online form for reporting a site that Web users believe might contain malware. Third, the manipulated pages carried code that kept the attack sites from appearing in results if the entered search term included certain expressions that security researchers commonly use. For example, Eckelberry had recently written about using “inurl” and “site,” two of the singled-out terms.Despite Google’s steps to eliminate the impact of comment spam on its search result rankings, the use of SEO techniques is growing in the online criminal underground. And bad guys don’t employ the trick just to infect people’s PCs. WhiteHat Security chief Jeremiah Grossman says that whoever hacked Al Gore’s Web site recently added a link that could be seen only in the site’s source code. The link, which pointed to an online pharmacy site, was designed to give the drug site more relevance. Grossman says that, according to underground contacts, the top result for “buy Viagra online” is worth about $50,000 a month. How to Search Safely Though this attack was crafty and effective, security experts say there’s no need to stop using Google, as long as you take some precautions. Most important: Keep your software patched and up-to-date. The attack sites used a programming kit called the “404 exploit framework,” which hits known software vulnerabilities, says Roger Thompson, president of security software maker Exploit Prevention Labs. You can close most of the targeted holes by enabling the automatic-update features for Microsoft Windows, Mozilla Firefox, Apple QuickTime, and other critical software, but you should also update to the latest version of WinZip, a targeted program that doesn’t have an auto-update feature. And don’t let your guard down just because your software is current. Attack sites will often employ social-engineering tricks when they can’t worm into your PC through software holes. On its blog, Sunbelt provides an image of a common attack pop-up that attempts to trick you into installing a fake video codec that then tries to exploit a vulnerable PC. Your sharp eye can also catch many of these bogus results before you click. Watch for seemingly garbled text such as “vpn passthrough sting maphack light Motorola” in the text snippet shown for each search result. If the listing is for an oddly named page such as “leuwusxrijke.cn/769.html,” it could very well be a land mine. Free downloads such as McAfee’s SiteAdvisor and Exploit Prevention Labs’ LinkScanner Lite identify potentially dangerous search results with small icons. And the leading commercial security software suites offer browser protection. Keep a close eye on what you click on, too, and you’ll keep search paranoia at bay, as Eckelberry has. “I’m a Google fanatic,” he says. “I haven’t stopped using Google because of this.”By Erik Larkin, PC World (US) Related content news Top cybersecurity product news of the week New product and service announcements from Coro, Descope, Genetec, Varonis, Cloudbrink, Databarracks, and Security Journey By CSO staff Dec 07, 2023 22 mins Generative AI Generative AI Machine Learning news analysis Attackers breach US government agencies through ColdFusion flaw Both incidents targeted outdated and unpatched ColdFusion servers and exploited a known vulnerability. By Lucian Constantin Dec 06, 2023 5 mins Advanced Persistent Threats Cyberattacks Vulnerabilities news BSIMM 14 finds rapid growth in automated security technology Embrace of a "shift everywhere" philosophy is driving a demand for automated, event-driven software security testing. By John P. Mello Jr. Dec 06, 2023 4 mins Application Security Network Security news Almost 50% of organizations plan to reduce cybersecurity headcounts: Survey While organizations are realizing the need for knowledgeable teams to address unknown threats, they are also looking to reduce their security headcount and infrastructure spending. By Gagandeep Kaur Dec 06, 2023 4 mins IT Jobs Security Practices Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe