Google Video search results poisoned to serve malware

Google Video search results poisoned to serve malware

Summary: From the real-time syndication of hot Google Trends keywords, maintaining AdWords campaigns, to the plain simple blackhat search engine optimization tactics, cybercriminals are constantly looking for new ways to acquire traffic by enjoying the clean reputation of each and every Web 2.0 property.


From the real-time syndication of hot Google Trends keywords, maintaining AdWords campaigns, to the plain simple blackhat search engine optimization tactics, cybercriminals are constantly looking for new ways to acquire traffic by enjoying the clean reputation of each and every Web 2.0 property. From LinkedIn, Bebo, Picasa and ImageShack, to Twitter, everyone's targeted efficiently using automated account registration tools.

During the last couple of days, a single group involved in a countless number of blackhat SEO campaigns across the Web, started massively targeting Google Video with a campaign that has already managed to hijack approximately 400,000 search queries in order to trick users into visiting a bogus and malware serving (W32/AutoTDSS.BNA!worm) adult web site.

Here's how the campaign works, and how they're attempting to cloak it from the eyes of security researchers.

What's particularly interesting about this campaign relying entirely on Google Video traffic to flourish, is that instead of sticking to the adult content in their keywords inventory, the cybercriminals have been in fact syndicating legitimate YouTube video titles from a variety of topics. Therefore, the number of legitimate videos used is proportional to the comprehensiveness of the campaign, in this case, over 400,000 search queries, a number that is increasing in real-time since they keep having their bogus content crawled by Google Video.

Moreover, based on the fact that they maintain a portfolio of 21 publisher domains with bogus and non-existent video content currently crawled, a simple tactic that they're using could entirely hijack a search query at Google Video. How come? By simply duplicating the content on their publisher domains, the top 5 search results for a particular video can be easily served from any of the 21 publisher domains, making it look like different sites have the same content.

The search engine results poisoning works as follows. Upon clicking, a Google Video user coming across to any content from any of their 21 publisher domains, is taken to a single redirection point (porncowboys .net/continue.php), then to the well known adult site template abused by cybercriminals (xfucked .org/video.php?genre=babes&id=7375), where the user is told that "Your Flash Version is too old. Your browser cannot play this file. Click "OK" to download and install update for Flash Video Player" and the malware is served if he's tricked into it (trackgame .net/download/FlashPlayer.v3.181.exe).

The cybercriminals are also taking advantage of a well known evasive technique - http referer checking or "cloaked maliciousness. For instance, the malware redirection to the fake flash player is only served if the potential victim is coming from Google Video. If a researcher is basically browsing around the content of their sites, the legitimate YouTube videos are legitimately syndicated. Excluding this case, it's worth pointing out that on the majority of occasions cybercriminals do not fully take advantage of the evasive features available within the traffic management kits they use behind the campaigns, making their campaigns easier for analyzing.

Google's Security Team has been notified and action is expected to be taken anytime now.

Topics: Security, Social Enterprise

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Windows affected (who cares)

    I do not run Windokes, so I could careless I am lucky
    in the fact I work with secure RHEL so I am immune!

    • Hasn't "Flash" been ported?

      For some stupid reason I was under the impression that "Flash" as well as other well used ad-ons have been ported to Linus and OS-X.

      Web expoits can cross OS boundries.
      • Do not tell that to opensource_luser01

        let him sit there with an infected machine, I do not care in the least.
        • Oh my heavens!

          Oh my I have an infected machine, first off I do not have flash on my laptop or workstation, don't need it.

          Second, how many Windows machines are affected now from the worm called Conflicker???

          10,000,000 and counting...

          Try again!

          • Liar, Liar, Pants on Fire...

            You've just proven yourself to be a chronic lying sack of fertilizer. To quote YOU:

            [b]"Oh my I have an infected machine, first off I do not have flash on my laptop or workstation, don't need it." [/b]

            And yet, on 1/19/2009, you posted the following response on another thread:


            Note the title...

            So it's either installed and working - or it's not.

            Consider your cred to be completely revoked...
          • He he ... well said Wolfie2K3 !!

            What do you expect, he's a typical, know nothing <i>"Linux is the king"</i> script kitty.
            He's so full of s**t it's coming out his mouth !
            For example (quoting him in the post referenced by you):<br>
            <i>1) "ATI works without ANY drivers,"</i>
            <b>WRONG !!! NO HARDWARE works without ANY drivers!! There MUST be a driver, ether from the hardware manufacturer or a generic one included with your OS.</b><br>
            <i>2) "Gaming you bet"</i>
            <b>Sure, but WHAT KIND OF GAMES ??? I doubt Oblivion or Bioshock have been ported over yet, and FORGET about running any of the new games coming out!! You typically have to wait several months to a year or more before they become available. IF they become available !</b><br>
            Face it, Linux is NOT a serious gaming platform, and never will be until software companies take it more seriously.
            And as far as infections go, the reason you don't have to worry about them is that no one is interested enough to take the trouble to write them for your OS, <b>YOU'RE SIMPLY NOT THAT IMPORTANT !!</b>
          • Also interesting ...

            He calls himself opensource_user01, but <b>why was the post you referenced in a thread titled "What's really new in Windows 7?"</b>

            He's been <b>caught lying TWICE</b> with the same post, <i>like getting hung twice with the SAME NOOSE !!!!</i> <b>HA HA HA HA

            TOO PRICELESS !!!!!</b>
          • more lies...

            If you read the post, he says that both ATI and nVIDIA are working properly. Nobody has both ATI and nVIDIA on their machine!!

            Linux can and does work without any video drivers due to a neat little thing called "MESA." The MESA standard allows many users to have a graphical environment, with the correct screen resolution for their monitor. However, MESA does not support special effects or 3D. For that, you need a driver. Many kinds of video cards are supported "out of the box" by open source drivers. ATI an nVIDIA are not.

            Here's an article about MESA.
          • No it doesn't work without drivers ...

            What you call the "MESA" standard is a generic ( probably VGA ) DRIVER that's INCLUDED WITH THE OS OR BUILT INTO THE KERNEL.
            THERE HAS TO BE A DRIVER !!!!
            Drivers sit between the OS and the HAL (Hardware Abstraction Layer). They enable the user to add hardware without rebuilding the kernel. (Oh and BTW - When users "rebuild the kernel" what they're actually doing is adding "drivers" to the kernel to allow a device to function, or more specifically, to allow the OS to "talk" to the device). Rebuilding the kernel was a PITA, similar to rebuilding your entire house in order to add on a garage. Which is why they went to the modular (drivers SEPARATE from the kernel) method, to allow for easy expansion/replacement/upgrades.


          • This is what I've been afraid of...

            Morons are tainting the pool of users of an OS I'm using. Ubuntu (and others) has made it too easy for idiots to run Linux.

            The good thing about it though is the user policies will protect most from stupid mistakes that result in installing malware. You should really think more than twice if you're being asked to input your root password with your browser open, and synaptic isn't, or you haven't intentionally used sudo (for apt-get).

            Only install software from approved repositories. If you follow that advice, 99.9% of Linux users, even the dumb ones, should be okay. Sorry, I don't have statistics to back that figure up. But it's impossible to install software without root (sudo) access in *nix.
          • 10,000,000 and counting... ??

            <b>Where are your facts coming from, off the top of your head ??</b> Anyone can spout random figures, but, <b>how about backing it up with some VALID statistical REFERENCES ?!?!?!
            Post a link to your source or STFU !!</b>
            Now, stop bothering us, <b>turn off daddy's computer, and go to bed !!</b>
            Don't forget to brush your teeth Script Kitty !
          • Ok, here's your sign ...

            First off: You're not running Windows <i>(or ARE you ??? See my post, Also interesting, above)</i>, so the fact that you don't have Flash on your machine <i>(But we KNOW YOU DO, <b>LIAR</b>)</i> <b>is irrelevant!</b>
            <br> The bomb <i>(the package the cyber criminals are using to infect machines)</i><b> WOULDN'T AFFECT YOU EVEN IF YOU DOWNLOADED IT !!!</b> The Flash download is THE LURE, NOT THE PACKAGE. <br>
            If you were the Linux Guru you want people to believe you are, you'd know this and not even be arguing about Flash.
            Second: <b>Here's your sign, again !!</b> (you need TWO, one for the front and back !!!)
          • YOU "Try again!"

            But first, I suggest changing your name to <b>script_kitty01</b>
          • What Kind of IT are you?

            You know, you sound like the 13 or 14 year olds who just discovered Safari, Chrome, Firefox, or Opera and now it is time to show off to your Computer Class teacher just how superior you are...
            The ignorance and redundancy behind the Windows v.s. Mac or Windows v.s. open source is so old and no longer relevant that really it should now be used as a litmus test for over-confidence and lack of knowledge. If you truly believe you are completely safe and immune to exploits and hacker problems because YOU DON'T use Windows, you best hope you are really handy with a shovel because you are not going to last very long in the IT world.
            Thinking you're superior and thumbing your nose at Windows users has no place here. Yeah, perhaps at one time the argument was a source of amusement, and may even have been relevant, but we have all heard it a thousand times, and at least as many times operating systems other than Windows have been exploited in one way or another. So really, grow up and move on, your narrow-minded anti-Windows rhetoric is stale and completely useless.
      • Message has been deleted.

        • How intresting...

          Just a few years ago weren't Mac's supposed to be impervious to malware. Now a Mac user has to be "careful" about downloads? Hmmm... Windows users have been told this for over a decade now, back when the Mac was impervious.
          • How intresting...

            Well, it looks like the shoe's on the other foot here. But, I agree with you, Heatlesssun1. It's time that the Internet gets a serious deep cleaning.
          • The very first virus i saw...

            ...back in 1986 or so, was on a Mac.
          • Same here

            I had a Mac+ long before I had a PC compatible.
          • pirated software

            many years ago (10 or more) I had a friend who traveled to the exotic
            East; Hong Kong, Viet Nam and Cambodia. While there he picked up pirated versions of MS, Adobe, etc from several locations, paying on the
            average under 5USD per CD. Oddly enough none of the CDs had any
            viruses or malware. At about the same time a software CD for a legit
            gaming program that was mastered in Germany or somewhere in Europe
            was released with a nasty virus. What is the point? my my how the world
            has changed. Those Asian pirates were interested in making money for
            themselves not taking advantage of user greed. Pirated iWork ha ha that
            is a good one.