Tuesday

RBN poisening Google Search results with exploits



Last week, Sunbelt's security blog warned us that thousands of malware redirects were showing up in search engine results. Botnets were posting relevant keywords and links in online forms to help attackers achieve top rank engine positions for various obscure and innocent search terms.
Two examples were "infinity" and "hospice". Visiting these links would potentially infect your PC with malware and additionally join in the botnet army.
The day after, Sunbelt revealed more details on the repercussions of clicking on these fake links

From Forbes.com:

For its part, Mountain View, Calif.-based Google was quick to scrub its search results following Sunbelt's blog post. Google removed the offending pages from the search engine's index Tuesday and added them to a malware blacklist that the company has been assembling since it began incorporating security measures in its search filters a year and a half ago.

But despite the initial cleanup, malware pages soon crept back into search results and had to be banned again, says Thomas. That's a sign that the malware writers may be an ongoing problem for the search engine. Google "did an excellent job of cleaning out the links to malware sites the night after we told them about it," Thomas says. "But by the next morning, bad guys had taken over again. Until they can tweak their algorithm to find this stuff effectively, it's going to be a continuing problem."

On the Google Security Blog, they are asking the users to "Help us fill in the gaps!", by reporting malware sites online at http://www.google.com/safebrowsing/report_badware/. However, I'm skeptical about this making a difference.

As for the culprits behind the SEO poisening? Guess which three letter acronym pops up?
Yes, RBN - Google Search Exploits :

The good news first is being able to precisely pin point the exploiters back to newer RBN core retail centers as previously exposed in this blog on Nov 8th 07 – i.e. iFramecash, myrdns, hostfresh, and AS 27595 i.e. Atrivo, Intercage, Inhoster. Also as reported this is the same end route as the Bank of India hack, fake anti-spywares and fake codecs.

The bad news is, as predicted and one of the probable reasons for dropping their RBnetwork IP ranges , the RBN is increasingly using botnet based fast-flux techniques (see Wikipedia) to hide the initial delivery sites behind an ever-changing network of compromised hosts

As always, take the necessary precautions when surfing.

Posted by Security4all at 4.12.07

Labels: , ,

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)