About Me

Craig Schmugar

Craig Schmugar

Read More

Feeds & Podcasts

Blogs

Meet the Bloggers

Archive

Tags

#SecChat $1 million guarantee 12 Scams of Christmas access to live fraud resolution agents Acquisition Alex Thurber Android antivirus Apple botnet Channel Partners cloud security Compliance Consumer counter identity theft credit card fraud and protection credit fraud alerts credit monitoring credit monitoring and resolution critical infrastructure Cyber Security Mom cyberbullying Cybercrime cybermom data breach data center data center security Data Protection Dave DeWalt DLP Email & Web Security embedded encryption Endpoint Protection enterprise facebook fake anti-virus software Family Safety Friday Security Highlights global threat intelligence google government Hacktivism how to talk to kids how to talk to teens identity fraud identity fraud scams identity protection identity protection $1 million guarantee identity protection fraud identity protection surveillance identity surveillance identity theft identity theft expert identity theft fraud identity theft protection identity theft protection product Identity thieves and cybercriminals intel iphone kids online behavior lost wallet protection malware McAfee McAfee Channel McAfee Family Protection McAfee Identity Protection McAfee Initiative to Fight Cybercrime McAfee Labs McAfee security products Mid-Market Mobile mobile malware mobile security monitor credit and personal information Network Security online personal data protection online safety Operation Aurora PCI personal identity theft fraud personal information loss personal information protection phishing privacy proactive identity protection proactive identity surveillance Public Sector restore credit and personal identity Risk and Compliance scam scams scareware security smartphones social media social networking social networks spam Stuxnet twitter vulnerability Web 2.0 work with victim restore identity

McAfee Labs :

Google Trends Abused to Serve Malware

Wednesday, February 25, 2009 at 3:39pm by Craig Schmugar
Craig Schmugar

The other day a worm, often referred to as “Error Check System” was spreading on Facebook.  In fact if you searched for information on this threat, your search results were poisoned to lead unsuspecting victims to a site that attempts to install a rogue anti-spyware Trojan.  Some folks blogged that this search connection was “too much of a coincidence“, and that the Facebook part of the threat was a ”red herring“.  I do not believe this is the case, and here’s why.

Last week I was following up on a comment made to the McAfee Avert Labs blog.  The URL provided by the visitor (**********.******.bee.pl/waledac_botnet.html) redirected to another site that attempted to install the same trojan.  Running a search on part of that URL yielded hundreds of search results, many that were placed high up on Google’s results.  The summary text was relevant for the search term and it’s clear that those behind the redirects are manipulating the internet (Google); by not only getting their newly created sites to appear high on the search results page, but also to display relevant text in the page summary section, and for the hottest terms.  Here’s one example, ironically related to the recent Gmail outage.

 

You’ll also notice that the page summary is identical to the top search result, taken from Google News.  Looking at more search results it is clear that the attackers are targeting popular search terms.

 Other searches show the results using all lowercase titles, the same as used by Google Trends.  In fact, checking some of the top Google Trends links we can see that the abusers are hitting it (ash wednesday 2009 was the #1 search term at the time of this writing, this is image was edited to fit on the blog).

The notion of malware distributors abusing Google Trends is not new, and received some attention in October of last year.  However, I do not recall previous attacks being as aggressive as the current ones, being distributed across numerous sites, targeting many many high-profile search terms, and having the poisoned links regularly appearing high up in the result pages.

Once a user visits one of these poisoned links, the destination page references a script file (style.js), which is obfuscated.

Decoding the script shows that it redirects the user based on the referring URL being “google”,”msn”,”yahoo”,” comcast”,”aol.com”.  This is just one of the many ways the bad guys focus their attacks on potential victims, while making it a tiny bit more difficult for others to discover it.  Once you’re redirected, it’s situation normal for the attackers, various fake alert and scanning messages and windows appearing, ultimately leading to the installation of a FakeAlert trojan (such as one of the 9,500+ known binaries identified by McAfee as FakeAlert-AB).

If you made it down to the bottom of this blog, I probably don’t need to remind you to look carefully before you click, on the Web.

Bookmark and Share

Submit your own comments / message for this post

Your email is never published nor shared. Required fields are marked *

 

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comments (9)

  • Craig Schmugar August 26, 2009 10:29AM

    Dave,

    This blog is more about search engine abuse and less about social networks. The search results poisoning is addressed with domain and URL reputation products, while the destination of malicious links is covered by anit-virus and host & network intrusion pevention.

    As far as monitoring social networks, it depends on how heavy handed you want to be. Domain filtering and access controls is one option. AV and NIPS & HIPS is in scope for many attacks as well. DLP does play a role, but that’s more about outbound than inbound threats.

    Reply
  • Dave August 18, 2009 9:35AM

    Craig,

    Nice blog. But what I want to know is what does McAfee plan to do to address this on the Enterprise level? To date it appears the only thing on the market for monitoring social networks are parental controls software on the desktop. What about an Enterprise solution? Does DLP address some of the concerns?

    Reply
  • Tricnology March 26, 2009 5:58AM

    I guess I clicked on a link in a search and the malware 2009 appeared in my tray. I continued to close them by the x but somehow, it continues to appear. I went into add and remove, it uninstalled but not really. I went into my program files, it denies me access. I us Google for almost everything in my company as well and I have McAfee through Comcast. What should I be searching on, working on and now how is it removed

    Reply
  • Philip Walsh March 4, 2009 3:39AM

    Because this IS a .exe file – it won’t affect my mac right?

    Reply
  • Craig Schmugar March 2, 2009 8:17PM

    Anand,

    Google Trends wasn’t manipulated so much as Google’s page ranking. Once they were successful at manipulating the page ranking they then went after the most commonly searched terms.

    As for connecting the dots, there were a couple of elements that lead to the conclusion.

    1) The high Google page ranking (which I did not observe with other search engines…the pages are there and indexed, but not placed as high).

    2) All the Titles were in lowercase, the same used by Google Trends; and correlating those titles against the Google Trends “Hot” lists.

    3) The duplicating of high-ranking content via Google News supported the idea that Google was the target

    4) The fact that Google is the search king

    5) The apparent lack of equivalent Trending functionality in the other search sites.

    Other points later supported the idea of Google Trends abuse, such as the stats I posted in my follow-up blog.

    Reply
  • Anand March 2, 2009 7:40PM

    Quite interesting post, of course! I just was checking this out with all different possibilities I could think of. I noticed that the same results occur even when I use the other search engines – MSN, Yahoo. So, how did you conclude that the google trends were manipulated? – just curious to know…

    Reply
  • Sean Sullivan February 26, 2009 2:32AM

    Very nice post Craig.

    Just one note: I blogged that it was “ALMOST too much of a coincidence”.

    I think we agree that there is no direct link between this particular Facebook app and search results.

    I just don’t rule it out completely.

    Regards,
    Sean

    Reply
  • Craig Schmugar February 25, 2009 7:58PM

    Graham,

    The link has been updated. Thanks for catching it!

    Reply
  • Graham Cluley, Sophos February 25, 2009 4:35PM

    Hey Craig. Nice blog entry – makes for interesting reading.

    Thought you’d like to know that the link about the “red herring” is broken (too many http:’s!!)

    It should be http://www.sophos.com/blogs/gc/g/2009/02/23/sting-tail-error-check-system-facebook-scare/

    Cheers
    Graham

    Reply