FYI...

- http://preview.tinyurl.com/2db83x
November 27, 2007 (Computerworld) - "A large-scale, coordinated campaign to steer users toward malware-spewing Web sites from Google search results is under way, security researchers said today. Users searching Google with any of hundreds of legitimate phrases -- from the technical "how to cisco router vpn dial in" to the heart-tugging "how to teach a dog to play fetch" -- will see links near the top of the results listings that lead directly to malicious sites hosting a mountain of malware. "This is huge," said Alex Eckelberry, Sunbelt Software's CEO. "So far we've found 27 different domains, each with up to 1,499 [malicious] pages. That's 40,000 possible pages." Those pages have had their Google ranking boosted by crooked tactics that include "comment spam" and "blog spam," where bots inundate the comment areas of sites with links or mass large numbers of them as bogus blog posts. Attackers may be using bots to plug links into any Web form that requests a URL, added Sunbelt malware researcher Adam Thomas. There's no evidence that the criminals bought Google search keywords, however, nor that they've compromised legitimate sites. Instead, they've gamed Google's ranking system and registered their own sites... One site that Thomas encountered tried to install more than 25 separate pieces of malware, including numerous Trojan horses, a spam bot, a full-blown rootkit, and a pair of password stealers. All the malicious code pitched at users is well-known to security vendors, and can only exploit PCs that aren't up-to-date on their patches... Sunbelt's company blog sports screen shots* of several Google search results lists, with malware-infecting sites identified, as well as images of the bogus codec installation dialogs and the code of one of the malicious IFRAMEs."
* http://sunbeltblog.blogspot.com/2007/11/breaking-massive-amounts-of-malware.html

Update:

- http://preview.tinyurl.com/2db83x
"...Users searching Google, Yahoo, Microsoft Live Search and other engines with any of hundreds of legitimate phrases -- from the technical "how to cisco router vpn dial in" to the heart-tugging "how to teach a dog to play fetch" -- will see links near the top of the results listings that lead directly to malicious sites hosting a mountain of malware..."

Will using Siteadvisor alert users to these malicious sites?

true..

Best to make sure that EVERYTHING is up to date.

Thanks, mechBgon. WOW! Over 6 weeks! I'm glad that I don't depend on it too much.

FYI...

SEO poisoning targeted at Google
- http://sunbeltblog.blogspot.com/2007/11/more-on-massive-seo-poisoning-it-was.html
November 28, 2007 - "As a follow-up to our recent posts*, here’s some additional information. First, we can ring the all-clear bell. Google took action on these domains and you won’t find them anymore in Google (see Java script at URL above)... So. if you use search terms like “inurl” and “site”, you won’t see these malware pages in your results. Clever, since that’s one way for malware researchers to find stuff... And, it only cares if you’re coming from Google..."
* http://sunbeltblog.blogspot.com/2007/11/malware-redirects-aftermath_27.html

> http://isc.sans.org/diary.html?storyid=3700
Last Updated: 2007-11-28 21:07:34 UTC ...(Version: 3) - "UPDATE: Google for one has cleaned up their database. They are currently no longer returning these .cn pages for the queries affected."

Well, hopefully their secret feeds eventually tip them off that IEDefender shouldn't get a green checkmark I could go back through my SA post history and pull up more doozies. I also have observed that the bad guys cycle through new bad IPs and domains fast enough that SA seems unable to react. When dean, myself and Patrick Jordan combined cannot get a site rated RED... well, whatever.

The nature of the Google malware threat being discussed here seems likely to be one of those quickly-shifting targets that SiteAdvisor will not be effective against. That's my prediction, and I guess time will tell whether it's accurate. Just glancing at my last SA reports... point in case.

mechBgon, 9/9 @ 893, 12th worldwide (reputation)... declined the t-shirt

Ongoing...

- http://isc.sans.org/diary.html?storyid=3700
Last Updated: 2007-11-28 23:06:30 UTC ...(Version: 4)
"UPDATE: Live Search has submitted the changes necessary to yank these URLs from the database."

Good news = Google has filtered out these malicious sites from it's indexes
Bad news = These malicious sites are still out there on the Internet

Google fixes Malicious redirects to malware sites from it's search results

The malicious redirecting sites are still present and folks need to be cautious at all times. The improved filtering should help reduce the likelihood of hostile sites being returned on the 1st few pages of a search.

Google expunges malware sites from search results
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9049 820

There is a problem with the link above. It should be:

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9049820

I have have spoken too soon, as a new batch of .cn sites are starting to show up, according to Sunbelt ...

Internet Search poisoning - 2nd wave could be on the way?

Sunbelt is reporting new seedings for the .cn domain (China) oriented websites in Google (and this could possibly show up in other search engines). The sites are not launching exploit attacks yet, but this could change.

What to avoid: Avoid unusual sites with random letter/number combos, numerical IP addresses, and sites which end in a domain name of "cn" from Internet searches.

HEADS UP: More Google poisoning on the way?
http://sunbeltblog.blogspot.com/2007/11/heads-up-more-google-poisoning-on-way.html

FYI...

- http://preview.tinyurl.com/3cgt5k
November 30, 2007 (Computerworld) - "Google is asking everyday Web surfers to help with its efforts to stamp out malicious Web sites. The company has created an online form designed to make it easy for people to report sites they suspect of hosting malicious code. It's the latest step by Google to expand its database of the bad Web sites it knows about, as those sites continue to proliferate. "Currently, we know of hundreds of thousands of Web sites that attempt to infect people's computers with malware. Unfortunately, we also know that there are more malware sites out there," Google's Ian Fette wrote in the company's security blog*..."
* http://googleonlinesecurity.blogspot.com/2007/11/help-us-fill-in-gaps.html

- http://msmvps.com/blogs/spywaresucks/archive/2007/11/30/1371503.aspx
November 30, 2007 - "...(Google) blog entry was published after Sunbelt reported the massive seeding of malicious web sites on Google (which were *not* flagged as dangerous), which was then cleaned up, and before it was reported that nonsense domains were reappearing in Google's search, albeit with (apparently) no malicious content (yet)... The innocent days of the Internet as a wonderous, safe place that all can visit, and learn, and teach and share and explore without fear is gone. The criminals have taken that dream away from us. That is the reality..."