Malware hotbeds in Google search results are increasing

Mary Landesman with real-time malware scanning specialist ScanSafe tracking the attacks since March reported that a number of websites identified as infected have almost tripled. Cybercrooks behind malware attacks set up websites that appear in a search result listing at Google and after the user visits such a malicious destination his/her computer gets infected with an application that tracks their Google search results.

This way internet users are increasingly becoming a part of a botnet even not knowing of the fact. Usually web compromises disappear in a few weeks after they were detected as search engines and anti-virus programs grow wise to them. But that's not happening this time, said the researchers.

"The growth rate is very unusual for this type of compromise, and the fact that it's escalating so quickly is what has us concerned," Landesman told.

The point is that the exploit code is different for each website and it is almost impossible to know beforehand if a certain destination is compromised until a user accidentally goes there. It uses obfuscated Javascript that's burrowed deep into a website's source code to exploit unpatched vulnerabilities in a visitor's Adobe Flash and Reader programs. The malware sifts through a victim's computer in search of FTP credentials that can be used to infect still more websites with the malicious Javascript.

As some observers note the main objective of such attacks seem to be to make profits by re-routing the traffic from Google’s official ads to their own websites. By injecting ads and links into certain searches, infected users see results that are different than they would otherwise be.

The source of the latest Javascript is grumblar.cn, which has a Moscow IP address that reverses to ukservers.com.