Google in the cross-wires: cyber gangs infect search re...

Google in the cross-wires: cyber gangs infect search results

Malware authors use Google to smuggle in malware

Bochum, 23. June 2009

For the last few days, G Data has been noticing a large-scale attack on users of the Google search engine. The procedure followed by the perpetrators is exceedingly cunning: entry of certain search requests leads to results with manipulated links. If the surfer clicks on these, then in the next step, unbeknown to the user, malicious code is injected from the called up website, which initiates various camouflage manoeuvres. Thus some surfers receive a video codec, while others are offered purported virus protection programs. The site of the malware server is, according to the research of the G Data Security Labs, currently in India. The current wave of attacks are primarily focused on users who are searching the Internet for sites with pornographic content. However, G Data estimates that this could soon change. The next to find themselves in the cross-wires could soon be sports fans, car enthusiasts or job-searchers.

Ralf Benzmüller, manager G Data Security Labs: „During the last few days we have noticed a marked increase in dangerous Google search results. Quite possibly it is not only German speaking offshoots of Google that are affected. Nearly 10 percent of incoming danger alarms currently relate directly or indirectly to manipulated Google search results. With the current wave of attacks, all that is needed is one false click for a surfer to fall into the trap. Only if the HTTP data is checked before display by the browser, is the PC protected.“

Procedure used by the perpetrators
The attackers try to smuggle in malicious code by replacing text with hexadecimal numbers. As a result the browser can still process the code free without any trouble. However for people and search engines it is illegible. This procedure means the attackers can slip under the Google filters. The hexadecimal code contains hidden HTML code, which is embedded in the result web page. This is referred to as cross-site scripting. If a Google user clicks on the search result, then the desired website opens, but supplemented by a script from an Indian domain. Apparently Google uses the injected content in its search term evaluation. The manipulated links are placed by the attackers in blogs, forums and hacked websites and thus achieve a good rating for the desired search terms. To give an example, it appears that a little used site of an American university was manipulated so that certain search terms appear right at the top in search engine results.

Screenshot 1: injected malware

The script code downloaded from the Indian website is likewise highly disguised. The resultant web page is not statically produced by this procedure, rather there are a range of different infection scams. In tests, the experts at G Data Security Labs came up against infected flash files, apparent video codecs and counterfeit antivirus software. However, the various scams all had the same result - they ended up by downloading the same malware file.

Example of a manipulated website

Protective measures:
G Data customers were protected against this threat right from the start. The Bochum security experts recommend that in order to arm themselves against similar such attacks, all Internet users should:
1. always keep their virus protection and operating system up to date
2. ensure that web content is checked by the virus protection software, before it reaches the browser
3. deactivate JavaScript in the browser (e.g. with NoScript in Firefox)
4. not surf with administrator rights.

<- Back to: News