[Intrusions] Google security concern?

James C Slora Jr Jim.Slora at phra.com
Tue Dec 28 17:58:05 GMT 2004

Empty Floatbag wrote Monday, December 27, 2004 13:52

> Has anyone else noticed that some seemingly "normal"
> searches on Google return completely unrelated sites which 
> attempt to compromise a system through the browser?  
It's an old game, and is very common. Every search engine has its scoring
criteria - advertisers learn what works for each engine, and they do
whatever it takes to bring their clients' sites to the top. What works for
legitimate advertisers works for the adware and malware people, too.

I always caution people to do a reality check on any search engine hits,
rather than trusting the links. Search results are barely safer than links
in unsolicited email.

Search engines can't recognize every piece of potentially hostile code on
pages they index, even if this were part of their mission. Plus once a page
is indexed, search engines cannot prevent the site's contents from changing
to hostile code. Google and other search engines do try to keep the junk out
of their results, but they have a never-ending challenge in doing this.
Every search method has its strengths and weaknesses, so similar problems
will always be with us to some extent.

You asked about caching. I believe that any page can control whether or not
it is cached in Google - a lot of pages seem to prevent caching in order to
make sure users get fresh content. Again, what works for legitimate purposes
can also be abused.

The problem you reported is one of my most common incident generators. Users
do a search and click on whatever they find, thinking it must be safe and
relevant. They are conditioned against popups and spam, but too often have
blind trust in search results.

Top enemies for us:
1. Hostile ads on legitimate ad servers
2. Legitimate sites with additional hostile intent (adware on sites that
draw users)
3. Gamed search engine hits
4. Legitimate sites that have been hacked
5. Email with hostile links

These few things cover pretty much all the non-viral, non-network malware we
encounter. We see a lot of overlap between these categories. The most common
payload is a download trojan that usually installs adware. Sometimes there
are attempts to install botnets and other kinds of trojans. These vehicles
have a much higher infection success rate against us than worms, skiddies,
and botnet attacks - because they spread through end user content that we
allow into our network by design. We do many things to mitigate these
threats, but none is 100% effective.

Search engine hits are an obvious enabler for most of the other types of
threats on our list. I venture to guess that click rates on gamed search
results are thousands of times better than click rates on spam.

This stuff is pretty mainstream - presumably because it generates revenue.
Over the past year, I've found several adware packages promoting what would
normally be considered legitimate businesses. It's hard to know whether
these businesses knew that they were buying into the hostile software
market, or if they thought they were just buying legitimate advertising.

More information about the Intrusions mailing list