This Google Doodle featuring the Esperanto flag was exploited by scammers to spread malware, according to Barracuda Networks.
(Credit: Google)Online scammers are taking advantage of the public's interest in the Google Doodle to spread malware, a security firm warned on Tuesday.
In so-called "SEO poisoning," scammers use search engine optimization techniques to increase the distribution of malware. They create special malware-rigged Web sites or hide malware on legitimate Web sites they've compromised and then use tags associated with popular search terms to get them listed high up in search engine results.
Typically, scammers capitalize on public interest in news events or celebrities, targeting searches like "Swine Flu" or "Michael Jackson death." But in the latest twist on this technique, scammers are exploiting interest in the Google Doodle, the graphics that often take over the Google logo on holidays or to mark special events.
For instance, the doodle on Tuesday showed a flag for Esperanto, a universal language created by L.L. Zamenhof which is based on parts from a variety of languages. Clicking on the doodle, located near the search box, brings up a list of search terms for "L.L. Zamenhof."
Dave Michmerhuizen, a research scientist at Barracuda Networks, found 31 poisoned sites among the first 100 results, 27 of them in the first 50 sites alone.
On the first results page was a link leading to a compromised Web site that redirects visitors to a fake antivirus site, according to Michmerhuizen. That site displays a fake alert saying the computer might be infected and does a fake scan before prompting the user to pay for antivirus software, he said.
A Google spokesperson said the company had already removed many of the allegedly malicious sites from the index using manual and automated processes to enforce the policies.
"As you probably know, the use of popular search terms to target malware is neither a new vector nor unique to any particular search engine. We work hard to protect our users from malware, and using any Google product to serve malware is a violation of our product policies," the spokesperson said in an e-mail.
"Our Safe Browsing technology is capable of detecting malware being served from sites that have been compromised," the Google e-mail said. "In fact, as we've explained publicly, we have been seeing more infections coming from compromised sites" across the entire Web.
The compromised site on the Google Doodle-related search results page leads to a site selling fake anti-virus.
(Credit: Barracuda Networks)Researchers have discovered another feature of the Conficker worm that provides an additional clue about the intent of the creators--the worm installs malware that masquerades as antivirus software, Trend Micro said on Friday.
The worm, which has infected millions of Windows-based computers on the Internet, is downloading a program called Spyware Protect 2009 and displaying warning messages saying that the computer is infected and offering to clean it up for $49.95, according to the Trend Micro blog.
If you see this pop-up message, chances are your computer is infected with Conficker. The latest feature of the widespread worm is that it installs fake antivirus software on infected machines.
(Credit: Trend Micro)The infection alerts repeatedly appear and experts are worried that people may be clicking on them and paying for the software just to be rid of the annoying messages, thereby handing thieves their credit card information.
The fake antivirus program also attempts to install a Trojan downloader that is programmed to download new versions of Spyware Protect 2009, according to Kasperky Lab's blog. However, the domain the Trojan downloader was being accessed from has been shut down, the blog said.
The fake antivirus feature further bolsters the speculation that the motivation behind the worm is to make money and not a desire to disrupt computer or network operations.
Researchers were still analyzing new component code of the worm that began being spread via peer-to-peer and being downloaded off domains that host the Waledec worm on Wednesday but were finding the task difficult because the instructions are encrypted.
The worm spreads via a hole in Windows that Microsoft patched in October, as well as through removable storage devices and network shares with weak passwords. The worm disables security software and blocks access to security Web sites.
Despite all the news the worm has made, many computers still remain unpatched, Sophos said. Of the number of people who have used Sophos' free endpoint assessment test to check the security risk of a network since the beginning of the year, 11 percent did not have the Microsoft patch installed, according to Graham Cluley's blog at Sophos.
For the month of March, 10 percent of all of the people who used the Sophos assessment tool were missing the patch, he said. The company did not divulge exactly how many people had used the tool and Cluley said the statistics cannot be extrapolated to represent the number of unpatched systems on the Internet.
In an indication of infection rates, IBM's Internet Security Systems group released statistics that show that the number of unique IPs infected with Conficker.C is increasing slightly.
Based on infections seen through monitoring devices in its IBM ISS' Managed Security Services, the number has grown from just over 64,000 on April 2 to more than 71,000 on April 8, according to the unit's Frequency X blog.
"We've seen around 11 percent more unique IPs in the past few days in comparison to a week ago," the blog said, also adding that the number doesn't necessarily indicate the scope of worldwide Conficker infection.
Nearly 60 percent of the infections monitored by IBM ISS are in Asia, followed by 18 percent each in Europe and South America, and 4 percent in North America, the statistics show. By country, China leads with 16.6 percent, followed by Brazil at 10.8 percent, Russia at 10.2 percent and Korea at 4.6 percent, according to ISS.
To check if your computer is infected you can use this Conficker Eye Chart or this site at the University of Bonn. There is also a Conficker removal guide on CNET's Download.com site.
- prev
- 1
- next
