Bing ad serves malware to would-be Google Chrome switchers

Bing ad serves malware to would-be Google Chrome switchers

Summary: The criminal gangs that specialize in malware love search engines, because they represent an ideal vector for getting Windows users to click on links that lead to potentially dangerous Trojans. The latest attack targets ads, and the social engineering is frighteningly good.

SHARE:

Update: The same gang is responsible for a wave of new ads that lead to malware. See Bing ad leads to more malware; new Mac Trojan in the wild.

Can you trust your favorite search engine? Don’t answer too quickly.

Earlier this year, Google was under siege by a gang of Russian criminals. The bad guys hijacked search results (especially for images) and used scripts to redirect Windows and Mac users to sites that tried to scare them into installing fake antivirus software.

Google eventually cleaned up the mess, and Russian authorities helped their cause immensely by arresting the ringleader.

But that doesn’t mean it’s safe to relax yet. This week I’m watching a new wave of attacks that are using web advertising and social engineering to deliver Windows-based malware. The payload looks like legitimate software, but it’s actually a malicious downloader .

Today’s example is from Bing, which may have a fraction of Google’s search traffic but still has attracted the attention of cybercriminals.

Earlier today I visited Bing and searched for google chrome. The results were accompanied by a handful of ads in prominent positions at the top and along the right side. Nothing unusual about that, except for two nearly identical ads that appeared side-by-side at the top of the list. Here's what they looked like (I've obscured the URL names to make the test tougher).

One of those ads was legitimate, and the other led to a malware attack. Can you tell which was which?

Here's the landing page for the first ad:

And here's where clicking the second ad led:

If you look closely enough, you can probably figure out that the first site is Google's legitimate Chrome download page and the second one is fake, but the differences are subtle. A nontechnical observer would have a very difficult time figuring out that one of those big blue Download Google Chrome buttons is the real deal and one is fake.

The path from my web browser to the malicious software was a convoluted one.

The landing page for the fake site is served from a domain called iDownloadster.info, which has been built for deception. The domain was registered with GoDaddy four days ago, and the ad is hosted at a Ukrainian site called Goodnet. The download link leads to a separate domain, dl-byte.com, which was registered seven days ago and is hosted on a server that is infested with malware, porn, and fake pharmaceutical sites, most of it located in Russia.

But there’s no way to know any of that if you simply click the link and download the software.

When I sent the fake download to VirusTotal for analysis, it was detected by only a handful of antivirus engines. Microsoft Security Essentials missed this threat initially, but a definition update a couple hours later identified the downloaded file as Rogue:Win32/FakeRean. This family of fake antivirus software goes by dozens of names in the wild: Win 7 Internet Security 2011 and Total Win 7 Security, among others.

That lag between the time I downloaded the file and when it was identified is a perfect illustration of the phenomenon I wrote about last week in Why malware networks are beating antivirus software. But that doesn’t mean I was a sitting duck. In fact, all of my main Windows PCs stopped this potential infection in its tracks, using security layers that don’t depend on definition files.

In my next post, I’ll offer a detailed look at how those antivirus alternatives work and why they represent the future of online security.

Update: Five hours after I reported this issue to Microsoft, the fake ad was removed. A Microsoft spokesperson provided the following comment:

Microsoft has identified the malicious ad and took the appropriate action to remove it. The advertiser also can no longer post ads on Bing. In addition, the site's URL is no longer available via adCenter. We remain vigilant in protecting consumers, advertisers and our network from fake online insertion orders and continue to directly work with our agency media partners to verify and confirm any suspicious orders.

Related posts:

Topics: Security, Browser, Google, Malware, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

30 comments
Log in or register to join the discussion
  • RE: Bing ad serves malware to would-be Google Chrome switchers

    Yep. I can see the ad too. It's still there as of 6:13 PM EST, 8/8/11.<br>I know Internet advertising is a hot topic for some, but which ever side your on, theres no doubt Internet advertising needs an overhaul. In fact, I think Mr. Thurrott called for this a while back - An Internet-wide Trustworthy Computing Initiative. <br><br>Until then, Adblock and NoScript are a man's best friends. I'm sorry to say that. I know that's not what admins want to hear, but the best defense is a good offense, and if you won't take the initiative to defend the users, I will.
    The one and only, Cylon Centurion
    • RE: Bing ad serves malware to would-be Google Chrome switchers

      @Cylon Centurion

      If you used Linux, you wouldn't have to worry about this nonsense.
      ScorpioBlue
    • RE: Bing ad serves malware to would-be Google Chrome switchers

      @Cylon Centurion
      If you used Mac OS X, you wouldn't have to worry about this nonsense.
      theo_durcan
  • Not serving anymore

    This ad will no longer be serving in about 20 minutes...
    Trust me
    dogger1234
  • RE: Bing ad serves malware to would-be Google Chrome switchers

    Yep all gone, didn't see it at all.

    Of course, you may not end up with malware, but following the legitimate ad installs a browser from an advertising company ;-)
    tonymcs@...
    • LOL

      @tonymcs@...

      That's worth a +1...
      Ed Bott
      • RE: Bing ad serves malware to would-be Google Chrome switchers

        @Ed Bott
        As a blogger, where do you get money if not directly from advertising. I'm certainly not paying to read your articles. This advertising is evil rant is quite ridiculous.
        anono
      • There is a difference

        @anono

        I personally don't mind advertising. If I'm visiting a tech site seeing ads for HP Blade Servers, Cisco, etc are all okay in my book. What I don't like is having everything I do watched so that when I go to foodnetwork I still get ads for server equipment.

        I'm good with ads that target the type of content the viewer is currently consuming. I don't like tracking and I don't think anyone would argue that ads leaning to malware are bad in general. I'm not sure they go about fixing something like that though. How many people bought some terrible thing off an infomercial in the middle of the night? Is this really any different? Informed users are the best defense.
        LiquidLearner
      • RE: Bing ad serves malware to would-be Google Chrome switchers

        @LiquidLearner
        My argument is more towards tonymcs (& Ed since he +1'd it). tonymcs has at least once more in another forum that being a company that brings in money from advertising is wrong/evil.
        anono
    • RE: Bing ad serves malware to would-be Google Chrome switchers

      @tonymcs@... Scary thought... I'm not sure which is worse.
      GoodThings2Life
    • RE: Bing ad serves malware to would-be Google Chrome switchers

      @tonymcs@... <br>Arguably zdnet is an advertising company since I presume that's how the make their revenue. This applies most websites so you are ranting about advertising companies on an advertising company's website. How about save us the trouble of having to read your idiotic posts and stop going on websites created by any "advertising company" and go back to your cave.
      anono
  • I have a solution...

    ...but I don't think banning half the world from the Internet will fly, lol.

    But seriously, this is why I wholeheartedly support your Trusted Computing idea. Every legitimate thing we do online has such significant risks to our security, and people are incapable, it seems, of making intelligent decisions.
    GoodThings2Life
  • RE: Bing ad serves malware to would-be Google Chrome switchers

    Well, there's no reason to use that crappy search engine bing when there's Google
    shellcodes_coder
    • RE: Bing ad serves malware to would-be Google Chrome switchers

      @shellcodes_coder

      Wow... just wow.
      Hallowed are the Ori
    • RE: Bing ad serves malware to would-be Google Chrome switchers

      @shellcodes_coder
      Competition is one reason. It tends to keep entities from harnessing monopolistic powers. Or, does that only apply in one direction (anti-Microsoft)?
      TechNickle
      • RE: Bing ad serves malware to would-be Google Chrome switchers

        @FuzzyBunnySlippers
        Actually if you read most posts on zdnet, you will realize it applies only on one direction and that's against Google. People seem to think Google subsidizing other business from their dominant position on search is somehow "evil", while MS subsidizing search from their Windows monopoly is perfectly fine.

        Personally, I am ok with both.
        anono
    • RE: Bing ad serves malware to would-be Google Chrome switchers

      @shellcodes_coder
      Why paint yourself as an utter idoit...
      owlnet
    • RE: Bing ad serves malware to would-be Google Chrome switchers

      @shellcodes_coder I think you just totally missed the point. But on the positive, you did gain +11 "fanboy points" (you got an extra +1 for refusing to capitalise "Bing", impressive).
      Jeremy-UK
    • RE: Bing ad serves malware to would-be Google Chrome switchers

      [i]Well, there's no reason to use that crappy search engine bing when there's Google[/i]

      @shellcodes_coder you're right.

      Notice Redmond fanboy indignation. lol... :D
      ScorpioBlue
  • RE: Bing ad serves malware to would-be Google Chrome switchers

    I thought that the malware link looked more inviting, than the legitimate one. :D
    lehnerus2000