Author Topic: Google Search Results Significantly Poisoned  (Read 9225 times)

0 Members and 1 Guest are viewing this topic.

November 18, 2009, 11:38:32 am
Read 9225 times

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
http://www.cyveillanceblog.com/general-cyberintel/malware-google-search-results

Quote
Cyveillance has discovered a complex attack vector that uses Google search results to distribute malicious software (malware) to unsuspecting Internet users. Using this attack vector, users click on links within Google search results and are routed to sites that attempt to download malware to their computers. The attack method also relies on inattentive webmasters who do not update the software on their sites and often unknowingly provide the material that appears in the search results.



Quote
As can be seen in the image above, more than 260,000 URLs are presented in Google’s search index leading to blogs similar to the ones illustrated in our example.
Ruining the bad guy's day

November 18, 2009, 03:12:07 pm
Reply #1

leegraves

  • Newbie

  • Offline
  • *

  • 3
    • eSoft ThreatCenter
Our Threat Prevention Team found an almost identical attack dating back to September. There are likely well over 800,000 URLs involved in this scheme according to current Google search results. We've issued a new report on the eSoft ThreatCenter blog below.
 
http://threatcenter.blogspot.com/2009/11/blackhats-unleash-another-fake-blog.html



November 23, 2009, 09:43:39 am
Reply #2

cleanmx

  • Special Members
  • Hero Member

  • Offline
  • *

  • 3405
    • Spam-Filter Anti-Spam Virenschutz - CLEAN MX Managed Anti-Spam Service ist die Lösung für Ihr Spam-Problem
hi @all

edit 16:51 cet: i only found 53 unique malicious urls
Code: [Select]
http://andreastorm.com/coppermine/albums/bsblog/css.js
http://audouard.info/SPIPE/bsblog/css.js
http://clanmccolo.com/albums/albums/bsblog/css.js
http://class88.com/coppergallery/albums/bsblog/css.js
http://galerias-usuarios.jpg2.com/albums/bsblog/css.js
http://galerie.butanclub.com/albums/bsblog/css.js
http://hochfirst.com/hotel/galerie/albums/bsblog/css.js
http://minifiore.com/galeria/albums/bsblog/css.js
http://mw72.com/photos/albums/bsblog/css.js
http://nurflus.com/coppermine_pg_v142/albums/bsblog/css.js
http://otgallery.patrick-kern.com/albums/bsblog/css.js
http://shuchinsk.net/gallery/albums/bsblog/css.js
http://siaapc.com/Pictures/albums/bsblog/css.js
http://steveandamanda.org/pics/albums/bsblog/css.js
http://thefabricatedweb.com/coppermine/albums/bsblog/css.js
http://trozosdemi.dravetech.com/albums/bsblog/css.js
http://vnpharmacy.net/gallery/albums/bsblog/css.js
http://vulcano-tanzcafe.de/fotoalbum/albums/bsblog/css.js
http://www.alanholic.alanholic.hostdmk.net/gal/albums/bsblog/css.js
http://www.bandidos-sta.de/galerie/albums/bsblog/css.js
http://www.brandonriggin.com/albums/bsblog/css.js
http://www.catherders.com/bsblog/css.js
http://www.cbcelgin.org/coppermine/albums/bsblog/css.js
http://www.crisch.com/Turnierfotos/cpg148/albums/bsblog/css.js
http://www.drinksonly.com/album/albums/bsblog/css.js
http://www.elkgrovemustang.com/gallery/albums/bsblog/css.js
http://www.errente.com/argazkiak/albums/bsblog/css.js
http://www.fascinacmyk.com/eventos/albums/bsblog/css.js
http://www.galerie.micheart.com/albums/bsblog/css.js
http://www.gallery.happyrajah.com/albums/bsblog/css.js
http://www.hair-factory10.de/xg/albums/bsblog/css.js
http://www.heihs.nl/coppermine/albums/bsblog/css.js
http://www.husky-action.de/cpg/albums/bsblog/css.js
http://www.igpix.de/cpg/albums/bsblog/css.js
http://www.majoonline.com/majo/coppermine/albums/bsblog/css.js
http://www.masslift.com/coppermine/albums/bsblog/css.js
http://www.nzo1998.de/joomla/cpg/albums/bsblog/css.js
http://www.palhocoagapornis.com/fotos/albums/bsblog/css.js
http://www.phillyfresh.net/gallery/albums/bsblog/css.js
http://www.pleeser-murre.com/cpg148/albums/bsblog/css.js
http://www.rambledeep.com/coppermine/albums/bsblog/css.js
http://www.rehber-m.de/cegilli/galeri/albums/bsblog/css.js
http://www.romput.com/~cpm/albums/bsblog/css.js
http://www.rosenfeldonline.com/coppermine/albums/bsblog/css.js
http://www.s3artstudios.com/coppermine/albums/bsblog/css.js
http://www.samdelts.com/photo/albums/bsblog/css.js
http://www.smoothandgrooveentertainment.com/gallery/albums/bsblog/css.js
http://www.staggonline.com/gallery/albums/bsblog/css.js
http://www.sussex-windsurfing.co.uk/cpg1.4.12/cpg1412/albums/bsblog/css.js
http://www.thaohull.com/coppermine/albums/bsblog/css.js
http://www.venicecanoe.com/photo/albums/bsblog/css.js
http://www.vulcano-tanzcafe.de/fotoalbum/albums/bsblog/css.js
http://www.xn--schtts-5ya.de/cpg148/albums/bsblog/css.js

original post:

searching for:
Code: [Select]
http://www.google.de/search?hl=de&source=hp&q=allinurl:albums/bsblog/category&btnG=Google-Suche&meta=&aq=f&oq=
reveals:
Code: [Select]
280.000 für allinurl:albums/bsblog/category
but if you try to cyle through results, you only will get a view, google only displays 5  result pages  resulting in these:
Code: [Select]
http://bilder.siebenwind.de/.../albums/bsblog/css.js
http://bilder.siebenwind.de/content/albums/bsblog/css.js
http://hochfirst.com/hotel/.../albums/bsblog/css.js
http://hochfirst.com/hotel/galerie/albums/bsblog/css.js
http://keznews.com/search?s=albums/bsblog/css.js
http://kv-viersen.drk.de/ov.../albums/bsblog/css.js
http://moderngrafix.com/.../albums/bsblog/css.js
http://moderngrafix.com/cpg1410/albums/bsblog/css.js
http://mw72.com/photos/albums/bsblog/css.js
http://shuchinsk.net/gallery/albums/bsblog/css.js
http://www.galerie.micheart.com/albums/bsblog/css.js
http://www.nzo1998.de/joomla/.../albums/bsblog/css.js
http://www.nzo1998.de/joomla/cpg/albums/bsblog/css.js
http://www.schang-pü/bilder/albums/bsblog/css.js

also doing this search with curl:
Code: [Select]
<?php
$url 
"http://ajax.googleapis.com/ajax/services/search/web?v=1.0&q=allinurl%3Aalbums%2Fbsblog%2Fcategory";
$key="my api key";
$url.="&num=100&key=$key";
// sendRequest
// note how referer is set manually
$ch curl_init();
curl_setopt($chCURLOPT_URL$url);
curl_setopt($chCURLOPT_RETURNTRANSFER1);
curl_setopt($chCURLOPT_REFERER"http://my referer");
$body curl_exec($ch);
curl_close($ch);

// now, process the JSON string
$json json_decode($body);
print_r($json);

this search results in 2 !!!!!!!!!!!!!!!!!!

Code: [Select]
stdClass Object
(
    [responseData] => stdClass Object
        (
            [results] => Array
                (
                    [0] => stdClass Object
                        (
                            [GsearchResultClass] => GwebSearch
                            [unescapedUrl] => http://www.xn--schang-ptz-heb.de/bilder/albums/bsblog/category/nice/
                            [url] => http://www.xn--schang-ptz-heb.de/bilder/albums/bsblog/category/nice/
                            [visibleUrl] => www.xn--schang-ptz-heb.de
                            [cacheUrl] => http://www.google.com/search?q=cache:cD1vpmD6uvIJ:www.xn--schang-ptz-heb.de
                            [title] => Pascual Yehieli
                            [titleNoFormatting] => Pascual Yehieli
                            [content] => nice,. Published on: 10.10.2009 07:17 &middot; home hud las vegas. home hud las vegas.   nice,. Published on: 07.10.2009 03:03 &middot; pictures of the model jessica biel <b>...</b>
                        )

                    [1] => stdClass Object
                        (
                            [GsearchResultClass] => GwebSearch
                            [unescapedUrl] => http://www.xn--schang-ptz-heb.de/bilder/albums/bsblog/category/old/
                            [url] => http://www.xn--schang-ptz-heb.de/bilder/albums/bsblog/category/old/
                            [visibleUrl] => www.xn--schang-ptz-heb.de
                            [cacheUrl] => http://www.google.com/search?q=cache:a1KjLAhqMFMJ:www.xn--schang-ptz-heb.de
                            [title] => Pascual Yehieli
                            [titleNoFormatting] => Pascual Yehieli
                            [content] => coooooool (28); pictures (33); sex (28); old (3); lol (37); funny (40); wow (19)  ; HAHAHAHAHAH (36); super (20); cool (26); free (25); naked (2); pics (27) <b>...</b>
                        )

                )

            [cursor] => stdClass Object
                (
                    [pages] => Array
                        (
                            [0] => stdClass Object
                                (
                                    [start] => 0
                                    [label] => 1
                                )

                        )

                    [estimatedResultCount] => 2
                    [currentPageIndex] => 0
                    [moreResultsUrl] => http://www.google.com/search?oe=utf8&ie=utf8&source=uds&start=0&hl=en&q=allinurl%3Aalbums%2Fbsblog%2Fcategory
                )

        )

    [responseDetails] =>
    [responseStatus] => 200
)


this is totally weird... any glue ?

-- gerhard