Slashdot Mirror

← Back to Stories (view on slashdot.org)

Drive-By Download Poisons Google Search Results

Posted by timothy on from the monocultural-imperialism dept.

snydeq writes "A new attack that peppers Google search results with malicious links is spreading quickly, CERT has warned. The attack, which can be found on several thousand legitimate Web sites, exploits flaws in Adobe software to install malware that steals FTP login credentials and hijacks the victim's browser, replacing Google search results with links chosen by the attackers. Known as Gumblar because at one point it used the Gumblar.cn domain, the attack is spreading quickly in part because its creators have been good at obfuscating their attack code and because they are using FTP login credentials to change folder permissions, leaving multiple ways they can get back into the server."

1 of 136 comments (clear)

  1. Google Attacks by Fantom42 · · Score: 0, Offtopic

    As the article points out, these trojans/viruses that use Google and other search engines are becoming more common. My mother got one that replaced all of the major search engine results with fake spyware and antivirus software links. I imagine its popular because its a bit subtle and pernicious. How much malware is out there that is undiscovered because the affects are more subtle? Maybe reordering search results? Replacing ads with different ones?

    For my mom, I ended up using http://www.scroogle.com/ to download AV software to fix it. Seeing it for the first time, it was surprising to me that search engine results could be corrupted in this way. (I guess not that surprising...) And, I must admint I don't know if these programs are latching on to the browser applications somehow or if they are doing it somewhere else in the OS layer. It would be interesting to find ways to prevent these symptoms in a more sophisticated way than using Scroogle (i.e., finding a search engine they hadn't considered). If these viruses are using the underlying OS, would the search engines using SSL by default be a way to do it? Or would a man in the middle attack negate that? And I'd imagine there had to be a way to lock down the browsers themselves, or at least make it difficult, from this kind of attack if that's their point of entry.

    <offtopic> When I was a kid, a friend of mine and I made two anti-virus viruses. (We didn't spread them around, just did them for research purposes.) The first one modified COMMAND.COM to expect .EXX, .MOC, and .TAB files instead of the standard ones, and then renamed all of the files on the system this way. This broke some programs, requiring a hex editor now and again, but it basically made my friend's system immune to viruses. The other one attached on a little self-CRC checker to every executable which would print a warning if another program had altered the file. Fun times. I wonder if these ideas are patented now. </offtopic>