Didier Stevens

Friday 6 October 2006

Update: Google and the Drive-by Download

Filed under: Malware,Update — Didier Stevens @ 21:49

At the end of my post Google and the Drive-by Download, I wondered how prevalent such query results were.

This is an attempt to answer this question.

Here’s a Perl script that will execute Google queries and look for suspect URLs in the first page with a regular expression (remember, suspect URLs are of the form 123.1a2b3c.info). If you want to use the script on your Windows machine and don’t have a Perl interpreter, you can use ActiveState’s free ActivePerl.

Since I have no list of common Google queries used here in Belgium, I included a simple algorithm in my program to generate its own queries. They look like this: name profession. I feed my program with a list of frequently occurring last-names in Belgium and a list of professions you might want to search for (like a plumber).
Here’s the output of my program:

Suspect queries:

613.6x2q1y.info http://www.google.be/search?hl=fr&q=Thys+Blanchisseur

4859.4rhw0hk.info http://www.google.be/search?hl=fr&q=Gerard+Plombier

Suspect URLs:

4859.4rhw0hk.info

613.6x2q1y.info

2 suspect queries out of 2322 queries (0.0861326442721792%).

About 1 out of 1000 queries (looking for a profession) list a drive-by download site on the first result page. That’s not too bad, but still a surprising result to me.

Google and the Drive-by Download

Filed under: Malware — Didier Stevens @ 9:50

I’ve encountered an interesting Drive-by Download and made a movie of a Windows XP SP2 machine getting infected.

Drive-by downloads are nothing new, but it’s the first time I see one were you are directed to the drive-by download site by a normal, innocent Google query.

These are the steps to get infected:

  1. Start Internet Explorer
  2. Goto http://www.google.be
  3. search for vanderelst chauffagiste
  4. click on the first link (like I’m Feeling Lucky)

Searching for vanderelst chauffagiste is a normal, innocent query: I look for a heating technician (chauffagiste) called vanderelst (a common name here in Belgium).

Here is a post of someone (joy) experiencing the same thing when looking for a dentist in Illinois. But apparently joy doesn’t get infected.

I won’t explain how this drive-by download works. My point is rather that spyware makers have found ways to get their infected websites highly ranked by Google when you execute a normal, innocent query. We know that you’re likely to get infected when you look for keygens or cracks, but not when you’re searching for a local dentist.

My Search Engine Optimisation knowledge is very limited, I cannot explain you how they got their sites top listed by Google. According to joy, it has something to do with the fake Google result page they host (see the movie).

The movie is hosted here on YouTube, and you can find a hires version (XviD) here.

First I show that there’s no service32.exe file in the c:\windows directory. You can see that I’m running as local admin, which is a bad idea, but please bear with me.

Next I search for my heating technician with Google and click on the first link (you’ll notice the strange URL of the .info TLD with random subdomains).

The free Kerio Personal Firewall alerts me of programs (spywares) that are being started. I installed the firewall to visualize the infection in action. And I’m feeling stupid today, so I click on Permit.

Notice that the page looks like a Google search result page, but that all entries point to .info sites that are probably also drive-by download sites.

There’s a half minute of inactivity after 1:30 minutes, be patient and you’ll see other programs being started and the service32.exe file appearing in the Windows directory.

Finally, I go to the Virustotal site to get some files scanned by 20+ virus scanners. This part of the movie is rather boring, but I didn’t want to spend much time editing it, feel free to fast forward. The point is that most virus scanners don’t detect the infected files.

I also used Lavasoft’s Ad-Aware SE Personal (freeware) anti-spyware program to scan the machine: no files were detected.

It should be interesting to know how prevalent these sites are in Google query results.

Blog at WordPress.com.