November 29, 2007 // 6:39 pm
- A huge campaign to poison web searches and trick people into visiting malicious websites has been thwarted.
The booby-trapped websites came up in search results for search terms such as "Christmas gifts" and "hospice".
Windows users falling for the trick risked having their machine hijacked and personal information plundered.
The criminals poisoned search results using thousands of domains set up to convince search index software they were serious sources of information.
While computer security researchers have seen small-scale attempts to subvert search results before now, the sheer scale of this attack dwarfed all others.
"This was fairly epic," said Alex Eckelberry, head of Sunbelt Software - one of the firms that uncovered the attack.
Mr Eckelberry said tens of thousands of domains were used in the vanguard of the attack. Most domains were Chinese registered, hosted in the US and were only a couple of days old.
Websites loaded on these domains were booby-trapped with malicious software that looked for vulnerabilities in copies of Microsoft's Internet Explorer used to browse them.
"If your machine was not fully patched you were going to get hosed," said Mr Eckelberry.
The criminals who bought the domains convinced the indexing software used by Google, MSN and Yahoo they were good and popular sources of information, said Mr Eckelberry.
Although the results were indexed by Yahoo and MSN the webpages were coded to only show up if someone used Google.
They accomplished this using comment spam on blogs to push the pages up the search index rankings.
Sunbelt had discovered malicious sites connected with search terms such as "hospice", "cotton gin and its effect on slavery", "infinity" and many more.
"You could be searching for really innocuous things and get nailed," said Mr Eckelberry. "There was really nasty stuff in there."
"If there's any message from this I can scream from the rooftops its make sure you patch your machine," he said.
Security firm Trend Micro also discovered a series of booby-trapped sites aimed at Christmas gift shoppers and those looking for information about many other innocent subjects.
"Some of the top rated hits are leading to the malicious sites," said Raimund Genes, chief technology officer at Trend Micro.
Mr Genes said the booby-trapped websites discovered by Trend Micro tried to exploit several different vulnerabilities in Microsoft's web browser. The sites also attempted to stop the malicious software being spotted by intermittently scrambling the package before it downloads.
He speculated that the campaign was being waged by the Russian Business Network - a hi-tech criminal gang known to favour web-based attacks.
The booby-trapped websites were thought to be in operation for about 24 hours before Google began stripping them out of its search index. Some of the trapped websites are believed to be still turning up in searches carried out on Yahoo and MSN Live.
But, said Mr Eckelberry, this attack was likely to be a harbinger of many more.
"This is not going to go away," he said.