FYI...

Malware Exploiting Death of Zoey Zane
- http://sunbeltblog.blogspot.com/2007/12/malware-exploiting-death-of-zoey-zane.html
December 03, 2007- "From the sicko department . . . We have received multiple public reports of attackers using the recent murder of 18 year old college student Emily Sander (AKA "Zoey Zane" in the adult film industry world) as a lure to install malware.
From about.com:
'Dental records have confirmed that a body found near a Kansas highway is missing community college student and Internet porn star Emily Sander, authorities said. An autopsy has been completed, but the results have been sealed and are not available to the media . . . After Sander disappeared, it was discovered that the 18-year-old college student led a double life as "Zoey Zane," a character she played on Internet porn sites.'
Attackers have obtained very good search engine position when looking for information about “Zoey Zane”, and users may be lured into installing an “ActiveX upgrade” or “Flash Player” upgrade in order to view a video. In actuality, this “ActiveX video decoder” or “Flash Player Upgrade” is a Trojan that installs a Browser Helper Object (BHO) which produces fake pop-up messages and modifies search engine results in an attempt to install the Rogue Software IE Defender..."

(Screenshots available at the URL above.)

FYI...

- http://www.reuters.com/article/technologyNews/idUSL191003420071219
Dec 19, 2007 - "Advertisements placed by Google in Web pages are being hijacked by so-called trojan software that replaces the intended text with ads from a different provider, Romanian antivirus company BitDefender says*. The trojan redirects queries meant to be sent to Google servers to a rogue server, which displays ads from a third party instead of ads from Google, BitDefender said in a statement... Google said on Wednesday: "We have cancelled customer accounts that display ads redirecting users to malicious sites or that advertise a product violating our software principles." "We actively work to detect and remove sites that serve malware in both our ad network and in our search results. We have manual and automated processes in place to detect and enforce these policies." The trojan, named after the mythic Trojan Horse because of its ability to enter computer systems undetected, attacks Google's AdSense service, which targets advertisements to match Web page content..."

* http://preview.tinyurl.com/2jp2k9
December 18, 2007 (Bitdefender) - "...The modified file contains a line redirecting the host "page2.googlesyndication.com" which should point to an IP of the form 6x.xxx.xxx.xxx to a different address, of the form 9x.xxx.xxx.xxx, so that the infected machines' browsers read ads from server at the replacement address rather than from Google..."

More detail on the trojan-hijacker found at Google:

"...TECHNICAL DESCRIPTION:
Google Adsense is a service offered by Google which places advertisements in web pages. The advertisements are targeted (meaning that they are in concordance with the topic of the webpage), making them more effective..."
- http://www.bitdefender.com/VIRUS-1000239-en--Trojan.Qhost.WU.html
Discovered: 2007 Dec 17 - "...SYMPTOMS:
* The pages which normally contain advertisement from Google either don't display the advertisement or display advertisement from an other source (not Google)
* The "hosts" file used to provide a local storage for domain name / IP mappings contains a line redirecting the host "page2.googlesyndication.com"
To check if you are affected, you should issue the following command (from the command line or from Start -> Run):
ping -t pagead2.googlesyndication.com
The response should look similar to this:
Pinging pagead.l.google.com [6x.xxx.xxx.xxx] with 32 bytes of data:
where the x's represent digits. If you are not infected, the first digit will be a 6 (as in the example). If you are infected, the first digit will be a 9..."

.

FYI...

Fake codecs on Blogger
- http://sunbeltblog.blogspot.com/2007/12/fake-codecs-on-blogger.html
December 26, 2007 - "Fake codec trojans (so-called “required” components to watch a video, but in fact are malicious trojans) are a plague on the Internet. We’ve written about them extensively. Often, they are seen in porn sites. However, by doing a few simple searches today, we can see that they’re available to those simply doing American football pools, checking bank hours or searching for New Year’s eve clipart. All of these are taking advantage of the free Blogger service... these sites are pushing real trojans. Please don’t go there if unless you know what you’re doing... I wouldn't put this in the same league as the massive Google poisoning we saw last month. That was an epic attack, using exploits and all kinds of nasty tricks. However, this is something to be aware of, and hopefully the good folks at Google will take them down lickety-split..."

(Screenshots available at the URL above.)

FYI...

Malicious Code: Attackers Exploiting News of Benazir Bhutto Assassination
- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=834
December 27, 2007 - "Websense Security Labs has discovered malicious Web sites attempting to capitalize on the breaking news of the assassination of Benazir Bhutto. These sites attempt to infect users seeking more information about the event. This activity is similar to past news events, where attackers used malicious sites containing information about the event to infect visitors. In this case, the first infected site found by Websense Security Labs was the second result in a Google search using a generic and simple keyword. Therefore, the site likely to receive large amounts of traffic. Clicking on the link in the search results did not trigger a warning from Google that the site may be malicious..."

(Screenshot available at the URL above.)

- http://blog.trendmicro.com/bhutto-assassination-javascripted/
December 27, 2007 - "...one of the sites in question indeed has an embedded malicious JavaScript redirect..."

FYI...

Attackers Abuse Google Blogger
Blogger is flooded with phony blogs – including some that inject malware
- http://www.darkreading.com/document.asp?doc_id=144171&print=true
JANUARY 25, 2008 - "Hackers are currently littering Google's Blogger site with phony blogs -- some containing malware, pornographic images, or pure spam. "Google Blogger is being used as a malware delivery mechanism," says Ken Steinberg, CTO and president of Savant Protection, who discovered the attack while working on his own blog this morning. The attackers apparently are automatically generating the blogs with scripts. The blogs come with nonsensical names and content that's obviously been generated using English-compliant engines and keyword focuses, he says. "They've upped the game. Mostly [blog attacks] have been through comments or postings," he says. Steinberg noted that some of the fake blogs were using malware-insertion techniques: "One of the more common ways of inserting malware is using overflow techniques found in movie [viewers]... When you click through a few of these blogs, up pops images set to auto-load -- some are images, some are movies" that can infect a visitor with malware, he says. Google says it's investigating the event..."

More detail... second source:

- http://preview.tinyurl.com/2v59aq
January 25, 2008 (Computerworld) - "...The spammers have borrowed other malware techniques, too. Just as some recent attacks have been launched using frequently changing JavaScript, the redirect code placed on the Google Pages or on blogs may fluctuate depending on the originating spam message. The scams are also using fast-flux techniques to rapidly change the resolving destinations of the links.."

FYI...

- http://blog.trendmicro.com/seo-manipulation-begins-for-super-bowl-malware-campaign/
January 24, 2008 - "Cyber criminals who took advantage of Hollywood actor Heath Ledger’s death* are at it again, this time attempting to lure unsuspecting Super Bowl fans. When users search for “Superbowl,” Google search results turn up the following (links to malware)... what’s interesting in this case is that the malicious URLs are once again found in the servers of the Czech hosting provider believed to be hacked. Our analysts have been in contact with CERT CZ and the Czech hosting provider but the malicious codes are still present as of this writing..."
* http://blog.trendmicro.com/compromised-sites-heath-it-up/

(Screenshots available at both URLs above.)

In my experience, newbies are the ones that are the most vulnerable to these Google search result exploits.

For experienced users, Site Advisor (though not perfect) and the caution gained from experience is usually enough to avoid these malware links.

But for newbies that may decide to search for a solution to some problem, in addition to trusting Site Advisor too much (if they even use it), they often are enticed by the link titles. For example, a lot of newbies look for Registry Cleaners, thinking that these things will solve their problems.

<digression> Registry Cleaners are one of the most dangerous things for a newbie to try. Many of them create more problems than they are advertised to solve. Even an experienced user needs to exercise caution when using a legitimate Registry Cleaner. I don't use them myself. Anyway, Registry Cleaners are in abundance on the Internet. On another forum I visit (TSG), there are a lot of questions by newbies about "which is the best Registry Cleaner". Experienced users on that forum almost always respond "Stay away from Registry Cleaners unless you know what you're doing". <end digression>

Er, it appears you missed the reason for the reference post... we "more experienced" folks always avoid clicking on (what should be) the legitimate results of a search. You're kidding, right?

Huh????

Don't understand your comment . . . guess I'm just dense this morning, but can you clarify??