After announcing to the world + dog, that they are offering their own version of OpenDNS, you'd have thought that meant they'd finally gotten serious about security (I know, I'm laughing at the thought too), but nope, Google's results are STILL littered with malicious content that will drive your PC into a frenzy, and drive you to a level of frustration you've never seen.As a quick example, I've just spent the last 10 mins or so, going through the results for hphosts for the past month, and found the following, all of which will, if fed a Google referer, infect the living daylights out of your computer;
mayafoods.com/zgrcn/authorized.php
ordonn.com/iheae/cadets.php
kafanov.com/ruagj/cadets.php
inlinea.co.uk/adnep/simple.php
camarosource.ca/xtedb/cadets.php
kovacsnet.hu/cfywk/authorized.php
ebim.drealentejo.pt/moodle/09g64/jxt/cadets.php
healthycranberry.com/images/educatio90/lenugeratt.html
ordonn.com/iheae/cadets.php
kafanov.com/ruagj/cadets.php
inlinea.co.uk/adnep/simple.php
camarosource.ca/xtedb/cadets.php
kovacsnet.hu/cfywk/authorized.php
ebim.drealentejo.pt/moodle/09g64/jxt/cadets.php
healthycranberry.com/images/educatio90/lenugeratt.html
The sites you're taken to that deliver the payload, or act as redirectors to the payload, include;
protectcareone.net/in.cgi?5
protectcareone.net/redirect/
protectcareone.net/redirect2/
protectcareone.net/redirect3/
protectcareone.net/redirect4/
webillcheck.com/hitin.php?land=20&affid=92800
webillcheck.com/index.php?affid=92800
webillcheck.com/downloader.php?affid=92800
bmwcarsrent.cn/go.php?id=2004&key=ff0057594&d=1
jytxeam.cn/?uid=13400
jytxeam.cn/download/install.php?uid=13400
fisps.it/vyy/74867.php
94.142.133.125/a/?l=searchable
onlineantispywaresolutions.com/hitin.php?land=20&affid=94400
onlineantispywaresolutions.com/index.php?affid=94400
onlineantispywaresolutions.com/downloader.php?affid=94400
7newyear.com/?pid=384&sid=31797c
justrags.com/Swatches/1106/jpg.php
protectcareone.net/redirect/
protectcareone.net/redirect2/
protectcareone.net/redirect3/
protectcareone.net/redirect4/
webillcheck.com/hitin.php?land=20&affid=92800
webillcheck.com/index.php?affid=92800
webillcheck.com/downloader.php?affid=92800
bmwcarsrent.cn/go.php?id=2004&key=ff0057594&d=1
jytxeam.cn/?uid=13400
jytxeam.cn/download/install.php?uid=13400
fisps.it/vyy/74867.php
94.142.133.125/a/?l=searchable
onlineantispywaresolutions.com/hitin.php?land=20&affid=94400
onlineantispywaresolutions.com/index.php?affid=94400
onlineantispywaresolutions.com/downloader.php?affid=94400
7newyear.com/?pid=384&sid=31797c
justrags.com/Swatches/1106/jpg.php
Worse still, is many of these have been in the results for what is considered in the security world, as a long time (over 1 week for a fake AV site to stay alive, isn't very common, domains usually die anywhere within 6 - 72 hours).
Just one of the many sites listed above, is the typical fake AV site, pretending to scan your computer, and automagically find a plethora of infections, with the end results being to download an infection to your machine, and have you pay them for doing so.
You'll find the IP's and whatnot that are involved below, but suffice to say, the usual suspects are present (Hetzner, CSSGROUP, root eSolutions etc).Given Google offer their "diagnostics", which points out sites containing infections, and given they have what is without a doubt, one of the largest indexes available, you'd have thought they'd have invested at least a small amount of time, on additional filtering that would enable them to scan a site and give it some sort of fingerprint - a fingerprint that could then be compared to, which would have very easily identified around 90% of the malware you can find via Google (and the above is less than 0.0000001%).
If I can identify this lot in around 10 minutes, and identify it MANUALLY (I have never been a fan of automation as there's too much to go wrong), imagine what Google could save you from if they bothered getting their backsides into gear (and yep, I know Google aren't the only engine affected by this - but they're the largest and most popular).
hpObserver results
http://hosts-file.net/misc/hpObserver_-_Blackhat_SEO_continued.html
Raw results
DOMAIN IP IP_PTR ASN ASN_CIDR ASN_DESCRIPTION URI_PATH
justrags.com 64.29.151.221 hostedc40.carrierzone.com AS30447 64.29.144.0/20 INFB2-AS InternetNamesForBusiness.com /Swatches/1106/jpg.php
7newyear.com 78.46.254.17 static.78-46-254-17.clients.your-server.de AS24940 78.46.0.0/15 HETZNER-AS Hetzner Online AG RZ /?pid=384&sid=31797c
healthycranberry.com 74.50.21.200 decima.lunarservers.com AS15244 74.50.21.0/24 ADDD2NET-COM-INC-DBA-LUNARPAGES Lunar Pages /images/educatio90/lenugeratt.html
onlineantispywaresolutions.com 193.106.32.10 Failed resolution AS20473 193.106.32.0/22 AS-CHOOPA Choopa, LLC /downloader.php?affid=94400
onlineantispywaresolutions.com 193.106.32.10 Failed resolution AS20473 193.106.32.0/22 AS-CHOOPA Choopa, LLC /index.php?affid=94400
onlineantispywaresolutions.com 193.106.32.10 Failed resolution AS20473 193.106.32.0/22 AS-CHOOPA Choopa, LLC /hitin.php?land=20&affid=94400
94.142.133.125 94.142.133.125 h-133-125.cssgroup.lv AS48662 94.142.128.0/21 CSSGROUP-AS SIA _CSS GROUP_ /a/?l=searchable
fisps.it 72.29.86.251 server4.hostservicenet.com AS33182 72.29.86.0/24 DIMENOC---HOSTDIME HostDime.com, Inc. /vyy/74867.php
kovacsnet.hu 74.55.77.138 ns1.tmdhosting210.com AS21844 74.52.0.0/14 THEPLANET-AS ThePlanet.com Internet Services, Inc. /cfywk/authorized.php
bey12.com 174.136.2.218 Failed resolution AS30496 174.136.0.0/18 COLO4 Colo4Dallas LP /jltnu/cadets.php
camarosource.ca 66.147.227.195 Unassigned-66.147.227.195.hrwebservices.net AS4323 66.147.224.0/20 TWTC tw telecom holdings, inc. /xtedb/cadets.php
inlinea.co.uk 213.230.203.86 web10.000025.net AS33970 213.230.203.0/24 OPENHOSTING M247 Ltd /adnep/simple.php
kafanov.com 216.120.233.229 host53.hrwebservices.net AS4323 216.120.224.0/19 TWTC tw telecom holdings, inc. /ruagj/cadets.php
ordonn.com 69.175.66.58 cl68.justhost.com AS32475 69.175.0.0/17 SINGLEHOP-INC SingleHop /iheae/cadets.php
jytxeam.cn 193.169.235.6 Failed resolution AS32181 193.169.234.0/23 ASN-ECOMD-COLOQUEST GigeNET /download/install.php?uid=13400
jytxeam.cn 193.169.235.6 Failed resolution AS32181 193.169.234.0/23 ASN-ECOMD-COLOQUEST GigeNET /?uid=13400
bmwcarsrent.cn 66.232.102.67 jones.xpserv300.com AS29802 66.232.96.0/19 HVC-AS HIVELOCITY VENTURES CORP /go.php?id=2004&key=ff0057594&d=1
webillcheck.com 193.104.153.245 Failed resolution AS5577 193.104.153.0/24 ROOT root eSolutions /downloader.php?affid=92800
webillcheck.com 193.104.153.245 Failed resolution AS5577 193.104.153.0/24 ROOT root eSolutions /index.php?affid=92800
webillcheck.com 193.104.153.245 Failed resolution AS5577 193.104.153.0/24 ROOT root eSolutions /hitin.php?land=20&affid=92800
protectcareone.net 200.63.46.130 Failed resolution AS27716 200.63.46.0/24 Eveloz /in.cgi?5
mayafoods.com 66.147.231.38 Failed resolution AS4323 66.147.224.0/20 TWTC tw telecom holdings, inc. /zgrcn/authorized.php
justrags.com 64.29.151.221 hostedc40.carrierzone.com AS30447 64.29.144.0/20 INFB2-AS InternetNamesForBusiness.com /Swatches/1106/jpg.php
7newyear.com 78.46.254.17 static.78-46-254-17.clients.your-server.de AS24940 78.46.0.0/15 HETZNER-AS Hetzner Online AG RZ /?pid=384&sid=31797c
healthycranberry.com 74.50.21.200 decima.lunarservers.com AS15244 74.50.21.0/24 ADDD2NET-COM-INC-DBA-LUNARPAGES Lunar Pages /images/educatio90/lenugeratt.html
onlineantispywaresolutions.com 193.106.32.10 Failed resolution AS20473 193.106.32.0/22 AS-CHOOPA Choopa, LLC /downloader.php?affid=94400
onlineantispywaresolutions.com 193.106.32.10 Failed resolution AS20473 193.106.32.0/22 AS-CHOOPA Choopa, LLC /index.php?affid=94400
onlineantispywaresolutions.com 193.106.32.10 Failed resolution AS20473 193.106.32.0/22 AS-CHOOPA Choopa, LLC /hitin.php?land=20&affid=94400
94.142.133.125 94.142.133.125 h-133-125.cssgroup.lv AS48662 94.142.128.0/21 CSSGROUP-AS SIA _CSS GROUP_ /a/?l=searchable
fisps.it 72.29.86.251 server4.hostservicenet.com AS33182 72.29.86.0/24 DIMENOC---HOSTDIME HostDime.com, Inc. /vyy/74867.php
kovacsnet.hu 74.55.77.138 ns1.tmdhosting210.com AS21844 74.52.0.0/14 THEPLANET-AS ThePlanet.com Internet Services, Inc. /cfywk/authorized.php
bey12.com 174.136.2.218 Failed resolution AS30496 174.136.0.0/18 COLO4 Colo4Dallas LP /jltnu/cadets.php
camarosource.ca 66.147.227.195 Unassigned-66.147.227.195.hrwebservices.net AS4323 66.147.224.0/20 TWTC tw telecom holdings, inc. /xtedb/cadets.php
inlinea.co.uk 213.230.203.86 web10.000025.net AS33970 213.230.203.0/24 OPENHOSTING M247 Ltd /adnep/simple.php
kafanov.com 216.120.233.229 host53.hrwebservices.net AS4323 216.120.224.0/19 TWTC tw telecom holdings, inc. /ruagj/cadets.php
ordonn.com 69.175.66.58 cl68.justhost.com AS32475 69.175.0.0/17 SINGLEHOP-INC SingleHop /iheae/cadets.php
jytxeam.cn 193.169.235.6 Failed resolution AS32181 193.169.234.0/23 ASN-ECOMD-COLOQUEST GigeNET /download/install.php?uid=13400
jytxeam.cn 193.169.235.6 Failed resolution AS32181 193.169.234.0/23 ASN-ECOMD-COLOQUEST GigeNET /?uid=13400
bmwcarsrent.cn 66.232.102.67 jones.xpserv300.com AS29802 66.232.96.0/19 HVC-AS HIVELOCITY VENTURES CORP /go.php?id=2004&key=ff0057594&d=1
webillcheck.com 193.104.153.245 Failed resolution AS5577 193.104.153.0/24 ROOT root eSolutions /downloader.php?affid=92800
webillcheck.com 193.104.153.245 Failed resolution AS5577 193.104.153.0/24 ROOT root eSolutions /index.php?affid=92800
webillcheck.com 193.104.153.245 Failed resolution AS5577 193.104.153.0/24 ROOT root eSolutions /hitin.php?land=20&affid=92800
protectcareone.net 200.63.46.130 Failed resolution AS27716 200.63.46.0/24 Eveloz /in.cgi?5
mayafoods.com 66.147.231.38 Failed resolution AS4323 66.147.224.0/20 TWTC tw telecom holdings, inc. /zgrcn/authorized.php
Posts
2 comments:
What a terrible post. You sound like one of those parents that get mad at the TV for letting your kids watch adult material. I don't need or want Google to censor any content that I browse, their redirect message with a warning is enough for me. Practice safe browsing and don't depend on others to do stuff you should be doing.
Glad you (didn't) like it, but you've missed the point a wee bit I'm afraid (not really surprising given your comment).
Googles redirect warning is actually a good thing, and I've no problem with it - but the warning is missing from a plethora of malicious results - it's this that I have a problem with.
As for practicing "safe hex", that's easy for those of us that are aware of such risks, but Joe User is not aware of such, and as such, isn't going to be practicing safe anything - hence the sheer volume of compromised machines.
Post a Comment