The Google variable

Drive-by downloads became increasingly common in 2008. With webmasters becoming more aware of security issues, the criminals out there are always looking for new techniques to ensure that their malware survives longer.

And what could be easier than to use Google? Everybody does – so why shouldn’t virus writers? Recently we’ve been seeing attacks which work in the following way.

The malware writers start by doing Google searches to identify popular websites
The most popular sites thrown up by each search are then ‘pen-tested’ for vulnerabilities. The most vulnerable websites are then compromised and in order to cover their tracks, malware writers aren’t adding code to these compromised pages in the form of new files or even obfuscated code. Instead, they’re simply modifying scripts that are already running on the compromised pages. In this particular case, the new parameters added to the existing script include the following function: (–referer=

This function checks where the visitor to the infected page has come from. If it’s from a link in a Google search, then you automatically get re-directed to a series of malicious web sites – ones that have nothing to do with the original site. The result: an infected computer.

Interestingly enough, the redirect doesn’t work if you simply type in the name of an infected website. None of the injected script functions will run – all you see is the page that you wanted. This helps prevent webmasters, employees and regular visitors to the site from suspecting infection, while the criminals still achieve their goals:

  • infecting numerous people
  • hiding the malicious script from the webmaster to ensure a longer life for the malware.

So this type of attack doesn’t just harm users; it can also lead to innocuous websites getting denylisted by security products.

Incidentally, it’s not just websites which have been optimized to achieve high search rankings that are being used; the criminals are also targeting some security sites. For instance, there’s been a lot of talk about fake antivirus solutions such as Antivirus XP. If you’re using Google to try and find information about this, the search results will come up with a lot of different pages – the only problem is, if you click through to a site from the Google results list, the modified script on the hacked security server will execute Antivirus 2010 on your machine.

Compromising websites optimized for search engine success and infecting users through a series of malicious re-directs is bound to be a popular attack vector in 2009 and will undoubtedly cause webmasters new headaches.

This case just goes to show that nothing on the Internet is as safe as it might seem. And it’s not just Google that’s affected – I tested this attack scenario using Yahoo! and MSN, and the results were the same. We detect the malware used in the case detailed above as Trojan-Downloader.Win32.Fraudload.vffa, and we’re bound to see more variants of it, so make sure you keep your antivirus software up to date!

The Google variable

Your email address will not be published. Required fields are marked *



Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

What did DeathStalker hide between two ferns?

While tracking DeathStalker’s Powersing-based activities in May 2020, we detected a previously unknown implant that leveraged DNS over HTTPS as a C2 channel, as well as parts of its delivery chain. We named this new malware “PowerPepper”.

Subscribe to our weekly e-mails

The hottest research right in your inbox