Security Watch | Matt Hines | InfoWorld | Video - How Google badware ads work | April 30, 2007 08:21 AM

MORE ENTRIES

Video - How Google badware ads work

April 30, 2007 | Comments: (0)

Video - How Google badware ads work

Roger Thompson at Exploit Prevention Labs has posted some cool video footage on YouTube of the malware-laden ads his company recently discovered among the sponsored links served up with Google search results.

In the video, Thompson walks through the entire process by which the ads are found -- using a very common and straight forward search for innocuous terms on Google -- and how the attack works silently to infect end users' computers without giving them any easily-noticeable evidence.

(One thing I forgot to mention in my story last week was that Google fails to provide a mouse-over function that allows users to look at the URLs of ad sites that appear as sponsored links, which could definitely help fight the problem -- as Thompson suggests in the video.)

If people are wondering how quickly and stealthily current malware distributors can work in delivering their payloads, the video serves as chilling evidence. Other than a momentary download pause and a lack of validation from a browser's URL-tracking features (hidden where most users never find them), the ads take people's browsers to the sites they originally intended to get to with no clues to the secret redirect and infection going on behind the scenes.

Smarttracker.org -- the Russian hacker group behind the attacks -- is a prime example of the type of outfit carrying out such effective campaigns, Thompson said. In his case the infected PCs got stuck with password-thieving malware, but it could work the same way for botnet programs, adware, or nearly anything else.

When I spoke with Thompson last week he admitted that it's hard to estimate just how many such threats are being carried out as Exploit was simply lucky enough that one of its customers clicked on one of the badware links and the company's LinkScanner software recognized the attack.

Thompson said the hackers responsible are also moving their attacks around the Web radpidly. Smarttracker.org was distributing threats less than two weeks after the domain was registered. Once the domain becomes less effective, Thompson said they'll likely just buy another.

Posted by Matt Hines on April 30, 2007 08:21 AM

RATE THIS ARTICLE:

COMMENTS

they say that it's better to have out of jail 100 guilty people than to imprison one innocent.

our site, www.gma-nitsa.gr, has been flagged as a badware source. we have check and recheck it. we have also open a discussion in stopbadware.org group - http://groups.google.com/group/stopbadware/browse_thread/thread/097ace758f5607f3/13151903ffac1274#13151903ffac1274 . none can find any problems with our site.

but, after 2 requests for rescan, google insists that we are a badware source.

gma-nitsa.gr is a site dedicated to food recipes and techniques and is named after my grand mothers name, Nitsa. i have it online since 2001 and it is highly reputable with very warm friends.

in the immage http://www.gma-nitsa.gr/images/google-stopbadware/visits.png
you can see the decrease in traffic since google marked our site as a badware source.

if *anyone* can provide me with a contact information, someone in google who can explain the problem it will be a great help.

Thank you in advance for your help.

gEorgE sTaThis

Posted by: gEorgE sTaThis at November 23, 2007 12:40 AM

ZERO DAY PODCAST

Listen to the latest podcast:

MP3 •