[Intrusions] Google security concern?

Barnett, Ryan C. (EDS) Ryan.Barnett at atf.gov
Tue Dec 28 16:34:46 GMT 2004 

Patrick,
This seems to be yet another way in which phishers/spammers/malware
folks are getting clients to visit their sites.  There could be
multiple reasons for this tactic -

1) Click-thru/banner/visitor revenues
2) Sell their product
3) Compromise the client to install some backdoor app (as you
suggested in your email with the browser exploits)

There are have been many reports which have indicated that
phisher's are installing backdoor apps on client machines for use
by spammers/virus writers, etc... to funnel their future attacks
through them.  They are essentially using the infected clients as a
zombie army.  Check out some of the advisories at LURHQ -
http://www.lurhq.com/advisories.html

As to Google's part in this - you are correct in asking some of
these questions.  I do not know the exact details for how Google
ranks sites, however you may be onto something with regards to the
intentional mis-spellings as that would bump them up to the top of
the list.

Here is some info on Google's Cache feature -
http://www.google.com/help/features.html#cached

Basically it states that if there is no cached link, then they
either have not indexed the site (which is not the case with your
links since they returned results) or the site owners have
requested that Google not cache the data.  This seems most probable
as they would want people to visit their site directly, get
infected and then the owners would have an IP list of infected
clients.

Hope this info helps.

Ryan C. Barnett
SANS Instructor
GCIA, GCFA, GCIH, GCUX, GSEC

> -----Original Message-----
> From: intrusions-bounces at lists.sans.org
> [mailto:intrusions-bounces at lists.sans.org]On Behalf Of Empty Floatbag
> Sent: Monday, December 27, 2004 1:52 PM
> To: intrusions at lists.sans.org
> Subject: [Intrusions] Google security concern?
> 
> 
> Has anyone else noticed that some seemingly "normal"
> searches on Google return completely unrelated sites
> which attempt to compromise a system through the
> browser?  
> 
> Some interesting issues:
> - the sites are VERY high in the result list
> - do not contain the content Google thinks they do
> - have been in existance less than 30 days
> - appear to be based in Russia/Ukraine
> 
> Try these searches for example (AT YOUR OWN RISK!):
> - adderall wieght loss [deliberately mis-spelled]
> - ford engine temperature sensor
> - accord cd player kit conversion
> - seroquel site
> 
> How did they get their sites ranked so high?  And why
> is there no cached content on Google?  And what is
> Google doing about this (sorta ruins the premise of a
> relativity-based search)?
> 
> TIA,
> Patrick
> 
> 
> 		
> __________________________________ 
> Do you Yahoo!? 
> Read only the mail you want - Yahoo! Mail SpamGuard. 
> http://promotions.yahoo.com/new_mail 
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>

More information about the Intrusions mailing list