Slashdot Mirror
Massive Badware Campaign Targets Google's "Long Tail"
A post by Cyberveillance a couple of weeks back revealed a complex black-hat operation involving Google searches leading to hundreds of thousands of bogus blogs, exploiting the "long tail" of search results and isolated from Google's auto-detection of malware sites by a shifting network of redirectors. The fake blog posts are innocuous when visited directly, but make aggressive attempts to install a fake Windows anti-virus tool (which is actually a Trojan horse) if clicked through from Google. Other search engines do not index the bogus sites. The Unmask Parasites site has a detailed two-part analysis of the badware operation, which puts some numbers on its scope: almost 688,000 bogus scareware blogs can be located in Google; some of them have upwards of 1000 posts. This analysis also reveals that a large majority of the sites hacked to host fake blogs are on the network of Servage.net. From the second Unmask Parasites link: "What we have here is millions of rogue web pages targeting the long tail of web search (millions of keywords) where each page tries to install fake (and malicious) "anti-virus" software on visitors' computers. While this black-hat campaign is active for at least 6 months, webmasters of the compromised sites and their hosting providers don't simply notice this illicit activity. The good news is Google seems to have noticed this problem. Probably thanks to the Cyveillance blog post. During the week after that post I see a steady decrease in search results returned by the queries that you can find in this post."
But it sure does have a hell of a deep end.
to use anti-tracking measures. For example, the HTTP Referrer sent by my browser always gives the site its own homepage no matter what the actual referrer would have been. I use several other measures as well (such as redirect removers) because Web sites are on a need-to-know basis and I don't recognize their need to know where I've been or how I got to their page. If I visited such a blog from Google, the blog site would not know it and it would look to the site like I just went directly to its page. I use Linux but if I were using a Windows system vulnerable to these exploits, I still would not receive the exploits. There are already abundant reasons not to give away your usage data to anyone who wants it; this just provides one more.
It is a miracle that curiosity survives formal education. - Einstein
The "long tail of search" TFA is referring to is explained in this Wired article and on its author's blog.
XML is like violence. If it doesn't solve the problem, use more. Junta
Speaking of bogus blogs... What really ticks me off is if I'm searching for a answer to a technical problem, I often find the same message thread on 10 different sites. I wish google would realize these are all the exact same thread and combine them into a single response.
A surprisingly large amount of people couldn't make the link between Malware and Malicious software.
And an even larger amount of people didn't know what Malicious meant. *facepalm*
No, see, you may have paid someone to protect you from Malware, but they didn't protect you from Badware. It's totally different. However, I can protect you, for a nominal fee...
If you were blocking sigs, you wouldn't have to read this.
Good idea to dumb it down... most of my family or collegues will stop understanding and thus really listening when they hear words like malware. When you want to educate people be prepared to explain it in a simple way they understand, it will save you work later. ;)
And when you start to lose them just tell them "the evil hackers will plunder their bank account", this will give you about 3 minutes extra attention span.
This could possibly be the only time one of the retarded things our company-wide firewall did turns out to be right, it strips all referrer headers from HTTP traffic (which has caused me endless pain since some of my work involves said headers).
Of course, it still blocks all "application/---" MIME types which makes no sense and has caused even more issues (apparently anything with a MIME type that starts with application/ is a dangerous executable and must be blocked).
/Mikael
Greylisting is to SMTP as NAT is to IPv4
I get what these extortion-ware programs are. I've removed a few from my various relatives windows machines with malwarebytes and 1 other program (it's funny how no 1 program seems to be able to remove these vicious buggers). What I don't understand is how these a$$holes are getting their money. So the last time it happened to my uncle I told him to pay. He paid with a visa, waited a week and disputed the charge. It took him a few weeks, but finally got the chargeback, which I'm sure cost the a$$holes some of their own cash. Of course, during this period of time, the "anti-virus 2009" wasn't actually removed, but was weakened enough for my uncle to hop on the net and download his own malwarebytes and clean his system up. From now on, every time a relative gets this or one of its bastard brothers, I'm advising a "pay now and charge-back a week later" approach. I hope it catches on and the credit card companies, whose love of money has thus far blinded them to the illegal extortion scheme they've been aiding, decides it just isn't profitable to keep moving money for the a$$holes.
Which brings me to my second point. I have a 5 year old son. I explained in simple terms, without analogy what the a$$holes are doing, and HE grasped that it was wrong, so why haven't our law enforcement official done so? I assume without knowing that most of the a$$holes are foreign nationals. FOLLOW THE DAMN MONEY. I can hire a P.I. for $250 who could tell me where the money is going. When the money get's where it's going, have our LEO on the phone with the local LEO and, just a name off the top of my head Hillary Clinton on 3-way, and a DEMAND that whoever got the money start talking. If Hillary can't be bothered, fire the bitch and get someone who can spare 20 minutes to help thousands maybe hundreds of thousands of their countrymen not be extorted. Rinse, repeat as necessary until we get to the BIG CHEESE. Don't extradite, let them be tried wherever they're found, preferably with charges that translate to "screwing with our government's aid deals with the U.S. (there aren't THAT many countries the U.S. isn't funneling money, or at LEAST food too).
Functionally, there isn't much difference between these programs and foreign nationals walking into grandma's house and ripping her computer out and refusing to hand it back without $30. If we can't fix such an obvious problem economically, or politically, then we are left with a 3'rd option. Find them and take them out with drones. I'm not even remotely kidding. I hope it doesn't come to it, but how many of us would bat an eye if it did?
"you know why? Because we got the bomb, thats why" -Dennis Leary
Same thing really - after all, "mal" is "bad"... in Latin
You got played. It's the "Lorenzo Von Matterhorn". http://en.wikipedia.org/wiki/The_Playbook_(How_I_Met_Your_Mother)
"Windows is a vulnerable POS" "New virus/trojan/worm affects Windows" "Every Windows computer can be assumed to be compromised, trojan-laden, and part of some botnet thats either being used to compromise other Windows machines, capture the user's personal information and/or to pump out anonymous spam".
Assume these as static truths. Eg, not 'news'.
Now what would *really* be news, is if a day went by and there wasn't some new compromise/attack/vulnerability affecting Windows machines.
I live in hope that someday one of these trojan/worm/virus writers, distribute something that erases the entire hard drive, flashes all flashable memory on the machine, and then powers it down. But of course, they'll never do that, because then they'd be destroying the very resources they use to proliferate.
Good idea to dumb it down... most of my family or collegues will stop understanding and thus really listening when they hear words like malware. When you want to educate people be prepared to explain it in a simple way they understand, it will save you work later. And when you start to lose them just tell them "the evil hackers will plunder their bank account", this will give you about 3 minutes extra attention span. ;)
I derive no pleasure from saying it, but maybe a plundered bank account is the natural price attached to holding their own security in such low esteem. The way I describe these situations is "if you want my help it's there for the asking, but I am not going to fight you in order to help you." I frankly have better things to do and there are people who would have more appreciation for how my knowledge of computers and networks can help them.
It is a miracle that curiosity survives formal education. - Einstein
But I just shrugged these off as random malware.
Blogs are going to be another morass of evil, because of so many that just regurgitate/copy/mimic each other, the insecurity problem, and the general lameness of nobody saying nothing.
And Google gets to look good on this, which is not really making me feel warm & fuzzy.
deleting the extra space after periods so i can stay relevant, yeah.
I've had probably 50 people try to register on my message board in the last couple of weeks, mainly from RIPE in Amsterdam and LACNIC in Montevideo. I've considered banning RIPE's IP addresses entirely. The ones that I have approved have been posting your typical porn and Viagra links, I'm not sure if this is exactly the same as I won't follow their liniks to see if it's to blog posts.
I wasn't sure if there'd been a compromise for SMF boards or if there's a list of low-activity boards that spammers share where my site got listed recently and thus people are trying to post there or what, but I've had to turn on administrator-approval of all memberships, which really ticks me off. I'm thinking about reinstalling my board to change the directory but haven't had time to mess with it.
When you sympathize with stupidity, you start thinking like an idiot.
When did the word badware appear? Is it because some people couldn't cope with Malware?
It's not badware. It's goodware-challenged.
Reply to That ||
Those guys at Bing have been busy.
(I know the trojan targets Windows - I say it's a hit they were willing to take)
One of my sites got hacked, along with a bunch of others on Inmotion Hosting. Inmotion tried to claim the user client machines were compromised and all the hacks were just FTP connections, but I don't believe that. It could have been related to an older version of phpbb I was running, but it didn't originate with my desktop.
The hack added thousands of links to almost every html file in the site, pages and pages of links, and set up rogue directories packed with thousands of html pages (2,147 in one directory). Took me days to clean all that crap out. What was amazing was the sheer scope. Thousands of websites all around the world compromised within a few days of one another and massive cross-linking network set up. It would take a big team to do that legally.
It's hard to blame Google for an organization going to that much trouble to game the system. I thought I ran a pretty secure site and it's hard to blame the host.
Here's the head scratcher for me. These people obviously have a very broad base of technical skill and resources. Imagine if they applied that talent to something legal. What's the payoff for all the trouble of building the link network? Do they make more doing this than setting up something legal?
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
Awhile ago there was a major news story involving an Austrian and incest. Now I just assume that all Austrians are like that, in order to simplify my narrow mind's view of the world. Maybe it's the Austrian schools or leiderhosen or something.
I tried to reproduce this. But I was running noscript. I had to enable a half dozen sites before I could see what they were talking about.
I agree - but I think its better that they be informed about it at the least. See my parents were under the impression that so long as they never entered their information online it wouldn't be in danger. As such, they had a number of financial records on their computer, which (of course) got infected.
Now, nothing bad has resulted (to our knowledge), and I've lined them up with preventative measures and how to deal with it when it strikes. They didn't really care all that much until I told them that yes, those bank records ARE AT RISK. Then they perked right up.
If I weren't happily in love I'd see that as an opportunity to get the receptionist naked...
Good point! It should be "ungoodware" (or, maybe, "double plus ungoodware")
just a ghost in the machine.
This is possibly the best post that has ever been made at
I have been wanting the ability to mask HTTP REFERRER [sic sic] since practically Day One of getting on the WWW [and certainly since the first time I ever put a sniffer on the network stack and saw all the personal information that was being given away to God-only-knows whom].
It's hard to believe that it's taken us almost two decades to be able to surmount the single most egregious mistake that Tim Berners-Lee made in designing [or mis-designing] the web.
Been a lot longer than 6 months, I've been seeing these things on end user machines for over a year.
The big search engines remain too "soft" on bottom-feeders. Google once took a harder line. In 2004 and 2005, Google sponsored the Web Spam Summit. Then they had a down quarter and turned to the dark side. Since then, from 2006 to 2009, they've sponsored the Search Engine Strategies conference, the web spammer's convention.
Google has to do this to remain profitable. 35% of AdWords advertisers, by domain, are "bottom-feeders" - sites with no identifiable legitimate business behind them. A significant portion of Google's revenue comes from those bottom-feeders, and the AdWords ads on their sites. If Google filtered out all spam blogs, their revenue would decline.
We, of course, run SiteTruth, as a demo to show that search can have less evil. Try putting some of those "bad" sites into SiteTruth and see how it rates them.
(We get some whining, of course. "I wanna run ads on my blog and I don't wanna say who I am." Tough. You're operating a business, and businesses, by law, don't get to be anonymous. Even in the EU. Deal with it.)
I use all the same things that fellow geeks tend to use...Adblock Plus, NoScript, host file, etc. They work great for me but for the average person (family, friends, customers, etc) I find that a few minutes of explaining the existence and nature of the 'dark side', combined with the addition of a few basic measures keeps most of the crap at bay with little effort on their part. From speaking to them on a regular basis (I've been driving around fixing home and business machines for over 5 years now (3-5 calls per day) with a small Boston-area company so I've seen a huge cross-section of users) I've pieced together what I think is the root of the matter..."Internet Security" programs...
These things (Norton and McAfee are the worst) claim to do everything but make people breakfast, not only on the package but also on their websites. Most machines even come with free trials of these bastards installed by default. They have cartoon interfaces with green lights and checkboxes and all manner of condescending 'you are safe' messages all over them. What they fail to mention is that they can only effectively protect against what is on their 'lists'. I understand they need to make money but its downright deceptive to give people the expectation that they don't have to do anything to keep themselves safe. Once the average person installs one of these monsters they assume (and yes its foolish to assume anything but to them the computer is a tool, not a second job) that nothing can harm them. After all they paid money for it to protect them. Most are horrified to find out that these things are smoke and mirrors and that even though their AV says 'you're protected' they still ended up infected with a rootkit or something similar that completely evaded detection because it had hit the ground running less than 24hrs previously.
The particular attack form that hits sites like the ones mentioned in the article is the worst, and actually relies on the AV vendors own obnoxiousness to trick people. Regular AV software loves to pop up and announce how great a job its doing. Most people ignore these and just click whatever they have to to dismiss them. Why? Not out of stupidity (usually) but because it happens so frequently that they've become desensitized to it. So when they are on a site and a popup announces they've been infected and that unfortunately they need to renew their subscription to fix the problem, they click what they need to in order to get back to what they were doing. They don't notice that words are slightly mis-spelled or that Antivirus 2010 doesn't say McAfee or whatever it is that they've got. They see a giant cartoon with warning messages and a 'fix it' button. It all happens so quickly that most of the time when I'm talking to a customer about it they don't remember actually doing it until an hour into the call.
Whats the solution? I don't think there is a perfect one, but I can say that I've had tremendous luck over the last several years with a very basic approach. Currently it consists of the following...
Education - a 15 minute conversation (in plain english btw) can save you hours of repairs later. once people have a realistic expectation of what their role is in their own safety they become better users
Getting them to use IE only for the sites they absolutely need it for (usually internal work-related ones)
Migrating them to Firefox w/Adblock Plus and Web of Trust (the ad filtering is a great way to get most people to dump IE in a heartbeat)
OpenDNS set up on their router with the updater service running on one of their machines (only if they want sites blocked for kids/employees/whatever)
Basic antivirus (AVG, MSE, etc) with as many of the more annoying features shut off as is possible so that when they see a message they might stop to read it.
With the above stuff in place the only malware-related things I need to get rid of are usually related to a toolbar that something like Java installed on them or if someones kid went off to pirate something and got infected (thus bypassing any security in place by looking for trouble actively).
YMMV of course...
...targeting my “long tail”?
Oh... with badware? Well then, no thanks. ^^
Any sufficiently advanced intelligence is indistinguishable from stupidity.
I encountered this over a year ago. In the summer 2008, to be exact. A large academic publisher's website was hacked to redirect to malware when seeing "google" in the REFERER string, yet function normally otherwise. It has taken me a day to realize it wasn't Google's or my computer problem. It has taken me two or three emails to a journal editor over a couple weeks to have the site webmaster finally notice and believe it was his server responsible and not something else. Half the traffric was hijacked, yet webmasters usually checked their own websites not through Google and assumed everything looked normal. This was an efficient trick the first time it was used.
17779 eligible voters in a district, 17779 'vote' as one. This is Russia.
webmasters of the compromised sites and their hosting providers don't simply notice this illicit activity.
How do they notice it then? Complexly?
You can't expect words to mean the same thing when you string them together out of order.
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?