Blog for hpHosts, and whatever else I feel like writing about ....

Tuesday, 22 December 2009

Oi! Google, WAKE UP!

After announcing to the world + dog, that they are offering their own version of OpenDNS, you'd have thought that meant they'd finally gotten serious about security (I know, I'm laughing at the thought too), but nope, Google's results are STILL littered with malicious content that will drive your PC into a frenzy, and drive you to a level of frustration you've never seen.

As a quick example, I've just spent the last 10 mins or so, going through the results for hphosts for the past month, and found the following, all of which will, if fed a Google referer, infect the living daylights out of your computer;

The sites you're taken to that deliver the payload, or act as redirectors to the payload, include;

Worse still, is many of these have been in the results for what is considered in the security world, as a long time (over 1 week for a fake AV site to stay alive, isn't very common, domains usually die anywhere within 6 - 72 hours).

Just one of the many sites listed above, is the typical fake AV site, pretending to scan your computer, and automagically find a plethora of infections, with the end results being to download an infection to your machine, and have you pay them for doing so.

You'll find the IP's and whatnot that are involved below, but suffice to say, the usual suspects are present (Hetzner, CSSGROUP, root eSolutions etc).

Given Google offer their "diagnostics", which points out sites containing infections, and given they have what is without a doubt, one of the largest indexes available, you'd have thought they'd have invested at least a small amount of time, on additional filtering that would enable them to scan a site and give it some sort of fingerprint - a fingerprint that could then be compared to, which would have very easily identified around 90% of the malware you can find via Google (and the above is less than 0.0000001%).

If I can identify this lot in around 10 minutes, and identify it MANUALLY (I have never been a fan of automation as there's too much to go wrong), imagine what Google could save you from if they bothered getting their backsides into gear (and yep, I know Google aren't the only engine affected by this - but they're the largest and most popular).

hpObserver results

Raw results
DOMAIN        IP        IP_PTR        ASN        ASN_CIDR        ASN_DESCRIPTION        URI_PATH        AS30447        INFB2-AS        /Swatches/1106/jpg.php        AS24940        HETZNER-AS Hetzner Online AG RZ        /?pid=384&sid=31797c        AS15244        ADDD2NET-COM-INC-DBA-LUNARPAGES Lunar Pages        /images/educatio90/lenugeratt.html        Failed resolution        AS20473        AS-CHOOPA Choopa, LLC        /downloader.php?affid=94400        Failed resolution        AS20473        AS-CHOOPA Choopa, LLC        /index.php?affid=94400        Failed resolution        AS20473        AS-CHOOPA Choopa, LLC        /hitin.php?land=20&affid=94400        AS48662        CSSGROUP-AS SIA _CSS GROUP_        /a/?l=searchable        AS33182        DIMENOC---HOSTDIME, Inc.        /vyy/74867.php        AS21844        THEPLANET-AS Internet Services, Inc.        /cfywk/authorized.php        Failed resolution        AS30496        COLO4 Colo4Dallas LP        /jltnu/cadets.php        AS4323        TWTC tw telecom holdings,        inc.        /xtedb/cadets.php        AS33970        OPENHOSTING M247 Ltd        /adnep/simple.php        AS4323        TWTC tw telecom holdings, inc.        /ruagj/cadets.php        AS32475        SINGLEHOP-INC SingleHop        /iheae/cadets.php        Failed resolution        AS32181        ASN-ECOMD-COLOQUEST GigeNET        /download/install.php?uid=13400        Failed resolution        AS32181        ASN-ECOMD-COLOQUEST GigeNET        /?uid=13400        AS29802        HVC-AS HIVELOCITY VENTURES CORP        /go.php?id=2004&key=ff0057594&d=1        Failed resolution        AS5577        ROOT root eSolutions        /downloader.php?affid=92800        Failed resolution        AS5577        ROOT root eSolutions        /index.php?affid=92800        Failed resolution        AS5577        ROOT root eSolutions        /hitin.php?land=20&affid=92800        Failed resolution        AS27716        Eveloz        /in.cgi?5        Failed resolution        AS4323        TWTC tw telecom holdings, inc.        /zgrcn/authorized.php


Unknown said...

What a terrible post. You sound like one of those parents that get mad at the TV for letting your kids watch adult material. I don't need or want Google to censor any content that I browse, their redirect message with a warning is enough for me. Practice safe browsing and don't depend on others to do stuff you should be doing.

MysteryFCM said...

Glad you (didn't) like it, but you've missed the point a wee bit I'm afraid (not really surprising given your comment).

Googles redirect warning is actually a good thing, and I've no problem with it - but the warning is missing from a plethora of malicious results - it's this that I have a problem with.

As for practicing "safe hex", that's easy for those of us that are aware of such risks, but Joe User is not aware of such, and as such, isn't going to be practicing safe anything - hence the sheer volume of compromised machines.