ALERT: More potentially dangerous web sites hitting Google search
You may recall that Alex Eckelberry alerted us to a massive seeding of Google and other Web searches with malicious web sites. Google and the other sites, to their credit, certainly cleaned things up very quickly, and the incident quickly hit the popular press.
Sadly, it seems that Google, although they reacted quickly to the last incident, have seemingly not found a way to counter the basic problem, because Alex and Adam have reported that they are seeing signs of another attempt to infiltrate search results. Alex and Adam note that the sites are not dangerous at the moment, but of course that could change.
While we're on the topic of malicious searches, TrendMicro's team pointed out a new behaviour that all of us need to keep in mind when investigating these outbreaks. Trend say that:
"However, there is a little catch for us security researchers. We now look at the “if” statement where it relies on the “document.referrer” function. The code tells that in order for the “eval” function to be executed, the page where the user visited before arriving on the malicious Web page should be a page containing Google search results. Also, the search string used by the user must not have the “inurl:” and “site:” Google search functions. Thus, direct visit or access of the malicious site will not trigger the evil script and not redirect us to the site hosting the malicious binary file.
For security reseachers developing tools to automate the capture of the malicious files found on Web threats, this is something to consider. It is clear that this is a limitation for tools designed to directly access the malicious site aiming to capture the malicious files. The affected tools include honeyclients, Web crawlers, and downloaders."
You may recall my previous advice about this problem which is to pay close attention to the links that are being offered, and avoid anything that just doesn't look right, and certainly to avoid 'nonsense' domains. If you look at the latest Sunbelt shots, one of the sites is "pavtd.com.cn" which, at least according to the quick straw poll I just conducted, would not ring alarm bells for the average user. Apparently it's "not nonsensical enough".