Web Infection Manipulates Google Search Results And Builds A Botnet
A compromise that is moving virally across websites is making unwitting people who surf to them part of a botnet that redirects Google search results, a security researcher has warned.
During the past week, the number of websites identified as infected have almost tripled, according to researcher Mary Landesman with real-time malware scanning specialist ScanSafe tracking the attacks since March. Normally, web compromises die out after a few weeks, as search engines and anti-virus programs grow wise to them. But that’s not happening this time.
“The growth rate is very unusual for this type of compromise, and the fact that it’s escalating so quickly is what has us concerned,” Landesman told The Reg.
The exploit code is unique for every website, making it impossible to identify a compromised site until someone has accidentally surfed there. It uses obfuscated Javascript that’s burrowed deep into a website’s source code to exploit unpatched vulnerabilities in a visitor’s Adobe Flash and Reader programs. Victims then join a botnet that manipulates their Google search results.
The malware also sifts through a victim’s computer in search of FTP credentials that can be used to infect still more websites with the malicious Javascript. The combination of its stealth and ability to find new websites is allowing the infection to grow virally, Landesman said.
The goal of the malware appears to be to siphon dollars away from Google’s highly profitable advertising franchises. By injecting ads and links into certain searches, infected users see results that are different than they would otherwise be.
The longevity of the mass compromise speaks to the resourcefulness of the attackers. When they first set out, they dropped static attack code into PHP, HTML and other scripts of infected websites, but in time, website owners learned how to detect and remove the infection. The miscreants soon started a second wave of attacks that installed dynamically generated malware on infected sites as soon as the static script was removed.
The source of the latest Javascript is gumblar.cn, which has a Moscow IP address that reverses to ukservers.com. The injected scripts used in the gumblar.cn attacks appear to be dynamically obfuscated and thus may vary from site to site and even among pages on the same site.
The first portion of the script looks for a particular cookie and then tries to determine what scripting engine is being used. Based on those results, the script will then write out either a working or a non-working source reference. The attackers appear to be targeting Internet Explorer users by this process. The reason for the targeting is unclear because the exploits used to deliver the malware involve Adobe PDF and Adobe Flash (SWF) vulnerabilities which aren’t browser dependent.
The gumblar.cn compromise may also be accompanied by malicious iframes that load exploits and malware from domains hosted at 213.182.197.23, including liteautotop.cn, bigtruckstopseek.cn, autobestwestern.cn and several others. Both the 94.247.2.195 and 213.182.197.23 addresses are hosted in Latvia whereas the gumblar.cn domain has a Moscow IP that reverses to ukservers.com. Coincidentally, the malware loaded in the most recent round of attacks results in the installation of a backdoor that attempts to communicate with a botnet command & control located at 78.109.29.112 - a bot c&c with past ties to malware engaged in forcible redirects.
Credit: The Register
Credit: ScanSafe.com STAT Blog
More on CyberInsecure:
Print This Post
Posts
Leave a Reply
Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.