Massive Badware Campaign Targets Google's "Long Tail"

A post by Cyberveillance a couple of weeks back revealed a complex black-hat operation involving Google searches leading to hundreds of thousands of bogus blogs, exploiting the "long tail" of search results and isolated from Google's auto-detection of malware sites by a shifting network of redirectors. The fake blog posts are innocuous when visited directly, but make aggressive attempts to install a fake Windows anti-virus tool (which is actually a Trojan horse) if clicked through from Google. Other search engines do not index the bogus sites. The Unmask Parasites site has a detailed two-part analysis of the badware operation, which puts some numbers on its scope: almost 688,000 bogus scareware blogs can be located in Google; some of them have upwards of 1000 posts. This analysis also reveals that a large majority of the sites hacked to host fake blogs are on the network of Servage.net. From the second Unmask Parasites link: "What we have here is millions of rogue web pages targeting the long tail of web search (millions of keywords) where each page tries to install fake (and malicious) "anti-virus" software on visitors' computers. While this black-hat campaign is active for at least 6 months, webmasters of the compromised sites and their hosting providers don't simply notice this illicit activity. The good news is Google seems to have noticed this problem. Probably thanks to the Cyveillance blog post. During the week after that post I see a steady decrease in search results returned by the queries that you can find in this post."

Yet Another Reason

[causality]

to use anti-tracking measures. For example, the HTTP Referrer sent by my browser always gives the site its own homepage no matter what the actual referrer would have been. I use several other measures as well (such as redirect removers) because Web sites are on a need-to-know basis and I don't recognize their need to know where I've been or how I got to their page. If I visited such a blog from Google, the blog site would not know it and it would look to the site like I just went directly to its page. I use Linux but if I were using a Windows system vulnerable to these exploits, I still would not receive the exploits. There are already abundant reasons not to give away your usage data to anyone who wants it; this just provides one more.

Re:Yet Another Reason

[farlukar]

With the web developer toolbar you can disable referrers.

Re:Yet Another Reason

[causality]

Please, explain. Is this a FF addon, a custom browser, or what? 'cuz AC wants it.

I use Firefox on Linux with several addons. For the HTTP Referrer, I use an addon called RefControl. I have it set to fake the referrer by default. So if I do a Google search and from the search results decide to click on http://www.someblog.com/blogs/page.html, the Web server does not receive a google.com referrer. The referrer it receives is http://www.someblog.com/. The only exceptions are certain Web sites I do business with, because this fake-referrer behavior can break some shopping carts. That particular add-on lets you specifically exempt certain sites and only those sites.

In addition to that, I use Adblock Plus with the Element Hiding Helper and the Easyprivacy+Easylist subscription. I also use NoScript and that alone takes care of many Javascript tricks that redirect or obfuscate the actual destination of a link. I also disable so-called "HTTP PING", which can be done in Firefox under "about:config". My /etc/hosts file is 1.5MB, all of which blocks various ad servers by directing them to localhost. My machine will not accept any references to Google Analytics or various other analytics/tracking services. As a side-effect, all of this makes pages load much faster.

When I use Google or any other search engine, all of the links in the results go directly to the actual site. It is not redirected in any way. Therefore even Google does not know which link I clicked, or whether I clicked any at all. With the measures I mentioned above, the site I visit has no idea that I got there from Google. It looks to the site like I just opened a new browser window and directly typed its URL into the Address bar no matter how I actually got there.

I've always felt that if your business model relies on getting information about me against my will, then your business model deserves to fail. I'll add too that the actual security issue is the vulnerability of Windows browsers to what the summary describes as "aggressive attempts to install" these fake anti-virus programs. The measures I describe above do not provide real computer security -- they provide human privacy. In this case, however, they make it much harder for the sites in question to target you because their "targeting data" is based on first compromising your privacy.

Re:Yet Another Reason

[causality]

For example, the HTTP Referrer sent by my browser always gives the site its own homepage no matter what the actual referrer would have been

Want that. Is that a released add-on or did you just patch and recompile the source?

I use the FireFox addon RefControl to handle the HTTP Referrer.

Re:Yet Another Reason

[Tim+C]

the actual security issue is the vulnerability of Windows browsers to what the summary describes as "aggressive attempts to install" these fake anti-virus programs

There's no vulnerability in the browser, the issue is that the site displays fake warning messages, tricking the user into downloading and installing their malware.

Re:Yet Another Reason

[causality]

the actual security issue is the vulnerability of Windows browsers to what the summary describes as "aggressive attempts to install" these fake anti-virus programs

There's no vulnerability in the browser, the issue is that the site displays fake warning messages, tricking the user into downloading and installing their malware.

I re-read the article and you are absolutely right about this. Thank you for correcting me. This apparently is a social engineering attack and is not the "drive-by download" attempt that I assumed.

From the article:

These site (they act only as redirectors) immediately redirect people further to acual scareware sites (e.g. antivir3 .com, antimalware-3 .com, cyber-scan008.com etc.) which perform a fake test and make people think that their computers are infected (Displaying Windows interface even for Linux and Mac users ;-)). Pretty much the same as what I described a year ago. Just slightly improved interface (the fake warning window is now draggable!). Don’t be fooled.

Playing a little "devil's advocate", I suppose the case could be made that browser windows created by remotely originating Javascript should not be able to create windows that look like locally created warnings. Perhaps the windows Javascript can create should be marked in some way to make it obvious that it's the result of a Web site. Then you would end up with a warning to the effect of "Your system is infected with a virus, oh noes!" with an immutable titlebar that says "This window created by the Web site example.com" which should make the warning less convincing.

I call that devil's advocate because I don't believe these problems will ever really go away until and unless the average user gets a clue. Titlebars on windows that label the origins of the windows are nice and consistent with full disclosure, but they are no substitute for user education.

I think it should be explained to average users sort of like this: "there is and for some time has been a class of user that is easily exploited by all the latest scams, adware, and spyware. That class represents the lowest common denominator of user expertise and are targeted because they are the low-hanging fruit, the easiest to fool. The only choice in the matter available to you is whether you will be a member of that class. Your membership in that class is entirely voluntary because no one forces you to remain ignorant or to use what you do not understand. Do you still think that informing yourself, achieving a basic level of competency, and maybe reading a book or two is 'only for experts' or otherwise is such an unreasonable burden?"

The way I see it, you pay one way or the other. You pay with a little of your time and effort to understand the tools you use each day, how they are supposed to work, and this naturally includes an ability to understand how someone might attempt to use them against you. If you are unwilling to pay that way, then you pay in the form of higher exposure and greater vulnerability to all kinds of malware and scams and other attacks that have become so commonplace today. The attempts to deny the reality of this situation all have one thing in common: they depend on pretending that the individual user is not making a choice when they allow themselves to remain ignorant in the face of abundant information. In other words, they falsely advocate the essential helpless victimhood of people who are not helpless and could choose differently.

The way I view things, the scammers are just attaching a higher price tag to the poor decision-making that is already systemic in our society. For example, people who accept car loans with a duration of 60 months (and sometimes more) are doing the same thing financially. They look at only the monthly payment and do not account for the total amount that they will end up paying, nor do they account

Re:Yet Another Reason

[nabsltd]

Playing a little "devil's advocate", I suppose the case could be made that browser windows created by remotely originating Javascript should not be able to create windows that look like locally created warnings. Perhaps the windows Javascript can create should be marked in some way to make it obvious that it's the result of a Web site.

This is a good idea, but unfortunately dynamic HTML allows the creation of "windows" within the browser, and there really is no way to limit this without seriously destroying page layout.

Sure, these moveable HTML elements are confined to the browser window, but I think that somebody who would believe that a web site has "scanned" a D:\ drive that doesn't exist and found malware wouldn't notice that a window wasn't "outside" the browser.

Re:Yet Another Reason

[causality]

When I use Google or any other search engine, all of the links in the results go directly to the actual site. It is not redirected in any way. Therefore even Google does not know which link I clicked, or whether I clicked any at all. With the measures I mentioned above, the site I visit has no idea that I got there from Google. It looks to the site like I just opened a new browser window and directly typed its URL into the Address bar no matter how I actually got there.

I was wondering how you manage this? Google search results all output a google-based url that then redirects . The printed URL is often truncated, so you can't go to it automatically.

Try turning off Javascript. Or in my case, leave Javascript turned on and use NoScript. I personally add all Google domains to the "untrusted" list of Noscript. For me, there are no redirects of any sort. I get the direct URLs. I can copy-and-paste them into a new tab and it's a direct link straight to the site with no evidence that it came from a Google search. Of course, not using Google's Javascript means that my statusbar is honest about where the link goes, so there's no need to do all of that just to see that there is no redirection taking place.

Removing the redirection alone is half of it. Combining that with spoofing the HTTP Referrer guarantees that the site I visit has no idea how I got there or where I was previously. You should also disallow so-called HTTP Ping because that's just a substitute for redirection and serves the same purpose.

While their search works perfectly for me, successfully doing this may mean not using Gmail or other (non-search-related) Google services. I say that because I imagine you must accept Javascript and probably also cookies from Google in order to use Gmail. Incidentally, I don't accept their cookies either.

On this Linux system, I run my own local SMTP server. I use Fetchmail to (periodically, automatically) grab e-mails from my POP3 mailbox as provided by my ISP. Those are forwarded to the SMTP server on localhost. That server processes them through Spamassassin before depositing the e-mails into my user's mbox-style mail directory. I then use a local POP3 server to serve those processed e-mails to any standard e-mail client. In my case, I use Thunderbird because it can use the Spamassassin data as input to its own spam filtering.

I know that sounds a bit complex but once set up, it just works. I simply fire up Thunderbird like anyone else might do and have no need to concern myself with the chain of events. This provides me with excellent spam filtering and the ability to use Thunderbird's rules to automatically sort my e-mail into convenient folders based on criteria. All of this occurs locally and is fully within my control. None of it requires me to allow Google or anyone else to datamine my e-mail. The only network traffic involved is between Fetchmail and my ISP's mail server; everything else listens on localhost. With a setup like this, I have never felt a need to use Gmail or any similar service -- why would I use those and accept the compromises involved when I can do it myself the way I want? So for me, it's quite easy to just blanket deny all Javascript and all cookies from Google. For people who use many of their services, this probably won't be the case.

Long Tail

[Kolargol00]

The "long tail of search" TFA is referring to is explained in this Wired article and on its author's blog.

Bogus blogs and duplicate newsfeeds

[HockeyPuck]

Speaking of bogus blogs... What really ticks me off is if I'm searching for a answer to a technical problem, I often find the same message thread on 10 different sites. I wish google would realize these are all the exact same thread and combine them into a single response.

Re:Bogus blogs and duplicate newsfeeds

[causality]

Speaking of bogus blogs... What really ticks me off is if I'm searching for a answer to a technical problem, I often find the same message thread on 10 different sites. I wish google would realize these are all the exact same thread and combine them into a single response.

No joke. You omitted one part, however. You'll find the same message thread on 10 or more different sites, true. The part I would add is that in each instance, someone is asking the question but no one has responded with a meaningful answer. Sometimes I have better luck excluding terms like "archive" and "mailing list" from the search results.

I forgot their name but there is a company or two that I would describe as parasites. They try hard to have high visibility in search results when it comes to someone asking questions. When you click the link, however, you find that they want you to pay a fee to see the answer. Usually this is for basic technical support information that is not secret or otherwise proprietary in any way. I bet they had to work really hard to craft their pages in such a way that the Google summary gives no indication that it's a for-pay site. It makes me wonder if they are subsidized in some way or whether enough people really do pay them enough money to stay in business on their own.

Re:Bogus blogs and duplicate newsfeeds

[Tanktalus]

• 75% "naked horny asian gay teen donkey"

Great. And now those people will be redirected here. On one hand, it is like cleaning up the internet. On the other hand, you'll get all those pervs to come here and leave comments, drastically reducing the signal-to-noise ratio to basically zer... er, nevermind. Carry on.

Re:Bogus blogs and duplicate newsfeeds

For experts-exchange, the answers are at the bottom of the page. Just scroll ALL the way down. Really, try it.

Re:Badware?

[Monkeedude1212]

A surprisingly large amount of people couldn't make the link between Malware and Malicious software.

And an even larger amount of people didn't know what Malicious meant. *facepalm*

Re:Badware?

[thijsh]

Good idea to dumb it down... most of my family or collegues will stop understanding and thus really listening when they hear words like malware. When you want to educate people be prepared to explain it in a simple way they understand, it will save you work later.
And when you start to lose them just tell them "the evil hackers will plunder their bank account", this will give you about 3 minutes extra attention span. ;)

First good thing about the work firewall then

[mikael_j]

This could possibly be the only time one of the retarded things our company-wide firewall did turns out to be right, it strips all referrer headers from HTTP traffic (which has caused me endless pain since some of my work involves said headers).

Of course, it still blocks all "application/---" MIME types which makes no sense and has caused even more issues (apparently anything with a MIME type that starts with application/ is a dangerous executable and must be blocked).

/Mikael

Economic and Political Solutions?

[2PAIRofACES]

I get what these extortion-ware programs are. I've removed a few from my various relatives windows machines with malwarebytes and 1 other program (it's funny how no 1 program seems to be able to remove these vicious buggers). What I don't understand is how these a$$holes are getting their money. So the last time it happened to my uncle I told him to pay. He paid with a visa, waited a week and disputed the charge. It took him a few weeks, but finally got the chargeback, which I'm sure cost the a$$holes some of their own cash. Of course, during this period of time, the "anti-virus 2009" wasn't actually removed, but was weakened enough for my uncle to hop on the net and download his own malwarebytes and clean his system up. From now on, every time a relative gets this or one of its bastard brothers, I'm advising a "pay now and charge-back a week later" approach. I hope it catches on and the credit card companies, whose love of money has thus far blinded them to the illegal extortion scheme they've been aiding, decides it just isn't profitable to keep moving money for the a$$holes.

Which brings me to my second point. I have a 5 year old son. I explained in simple terms, without analogy what the a$$holes are doing, and HE grasped that it was wrong, so why haven't our law enforcement official done so? I assume without knowing that most of the a$$holes are foreign nationals. FOLLOW THE DAMN MONEY. I can hire a P.I. for $250 who could tell me where the money is going. When the money get's where it's going, have our LEO on the phone with the local LEO and, just a name off the top of my head Hillary Clinton on 3-way, and a DEMAND that whoever got the money start talking. If Hillary can't be bothered, fire the bitch and get someone who can spare 20 minutes to help thousands maybe hundreds of thousands of their countrymen not be extorted. Rinse, repeat as necessary until we get to the BIG CHEESE. Don't extradite, let them be tried wherever they're found, preferably with charges that translate to "screwing with our government's aid deals with the U.S. (there aren't THAT many countries the U.S. isn't funneling money, or at LEAST food too).

Functionally, there isn't much difference between these programs and foreign nationals walking into grandma's house and ripping her computer out and refusing to hand it back without $30. If we can't fix such an obvious problem economically, or politically, then we are left with a 3'rd option. Find them and take them out with drones. I'm not even remotely kidding. I hope it doesn't come to it, but how many of us would bat an eye if it did?

Re:Economic and Political Solutions?

[cdrguru]

The problem with the "follow the money" is that nobody with any means to do anything cares. Let's say you track the money to some Netherlands bank and find the guys running it. Local law enforcement, acting on your behalf, says "Gee, American sucker lost money. So what?"

UK, Ireland and Australia might care. Most other places you would need to hire a local lawyer and sue them in local court because local law enforcement just isn't interested. And if you get into places like Romania or Bulgaria you find out that ripping off Americans is legal there.

There just isn't any amount of weight someone in the US can bring down internationally to make local law enforcement do anything about this. No amount of diplomatic pressure is going to be enough, because it is going to come down very simply to being too trivial for diplomats to deal with.

Besides, this isn't happening "in the real world" at all - it is happening on the Internet. Even in the US "the Internet" gets lots of special treatment and enforcement of simple things. Stuff that would result in jail time off the Internet results in nothing at all when the same thing is done involving the Internet.

Interesting timing

[wwphx]

I've had probably 50 people try to register on my message board in the last couple of weeks, mainly from RIPE in Amsterdam and LACNIC in Montevideo. I've considered banning RIPE's IP addresses entirely. The ones that I have approved have been posting your typical porn and Viagra links, I'm not sure if this is exactly the same as I won't follow their liniks to see if it's to blog posts.

I wasn't sure if there'd been a compromise for SMF boards or if there's a list of low-activity boards that spammers share where my site got listed recently and thus people are trying to post there or what, but I've had to turn on administrator-approval of all memberships, which really ticks me off. I'm thinking about reinstalling my board to change the directory but haven't had time to mess with it.

Re:Badware?

[jDeepbeep]

When did the word badware appear? Is it because some people couldn't cope with Malware?

It's not badware. It's goodware-challenged.

Bing!

[blackfrancis75]

Those guys at Bing have been busy.
(I know the trojan targets Windows - I say it's a hit they were willing to take)

I noticed

[HangingChad]

One of my sites got hacked, along with a bunch of others on Inmotion Hosting. Inmotion tried to claim the user client machines were compromised and all the hacks were just FTP connections, but I don't believe that. It could have been related to an older version of phpbb I was running, but it didn't originate with my desktop.

The hack added thousands of links to almost every html file in the site, pages and pages of links, and set up rogue directories packed with thousands of html pages (2,147 in one directory). Took me days to clean all that crap out. What was amazing was the sheer scope. Thousands of websites all around the world compromised within a few days of one another and massive cross-linking network set up. It would take a big team to do that legally.

It's hard to blame Google for an organization going to that much trouble to game the system. I thought I ran a pretty secure site and it's hard to blame the host.

Here's the head scratcher for me. These people obviously have a very broad base of technical skill and resources. Imagine if they applied that talent to something legal. What's the payoff for all the trouble of building the link network? Do they make more doing this than setting up something legal?

+INFINITY

[mosel-saar-ruwer]

This is possibly the best post that has ever been made at /.

I have been wanting the ability to mask HTTP REFERRER [sic sic] since practically Day One of getting on the WWW [and certainly since the first time I ever put a sniffer on the network stack and saw all the personal information that was being given away to God-only-knows whom].

It's hard to believe that it's taken us almost two decades to be able to surmount the single most egregious mistake that Tim Berners-Lee made in designing [or mis-designing] the web.

Filtering out the bottom-feeders.

[Animats]

The big search engines remain too "soft" on bottom-feeders. Google once took a harder line. In 2004 and 2005, Google sponsored the Web Spam Summit. Then they had a down quarter and turned to the dark side. Since then, from 2006 to 2009, they've sponsored the Search Engine Strategies conference, the web spammer's convention.

Google has to do this to remain profitable. 35% of AdWords advertisers, by domain, are "bottom-feeders" - sites with no identifiable legitimate business behind them. A significant portion of Google's revenue comes from those bottom-feeders, and the AdWords ads on their sites. If Google filtered out all spam blogs, their revenue would decline.

We, of course, run SiteTruth, as a demo to show that search can have less evil. Try putting some of those "bad" sites into SiteTruth and see how it rates them.

(We get some whining, of course. "I wanna run ads on my blog and I don't wanna say who I am." Tough. You're operating a business, and businesses, by law, don't get to be anonymous. Even in the EU. Deal with it.)

Re:Ho Hum

[dskzero]

News would be that no one takes time to complain about windows whenever some new vulnerability is discovered. I'm willing to be that if any one linux distribution was used as much as windows, the story would be different.