Didier Stevens

Friday 6 October 2006

Google and the Drive-by Download

Filed under: Malware — Didier Stevens @ 9:50

I’ve encountered an interesting Drive-by Download and made a movie of a Windows XP SP2 machine getting infected.

Drive-by downloads are nothing new, but it’s the first time I see one were you are directed to the drive-by download site by a normal, innocent Google query.

These are the steps to get infected:

  1. Start Internet Explorer
  2. Goto http://www.google.be
  3. search for vanderelst chauffagiste
  4. click on the first link (like I’m Feeling Lucky)

Searching for vanderelst chauffagiste is a normal, innocent query: I look for a heating technician (chauffagiste) called vanderelst (a common name here in Belgium).

Here is a post of someone (joy) experiencing the same thing when looking for a dentist in Illinois. But apparently joy doesn’t get infected.

I won’t explain how this drive-by download works. My point is rather that spyware makers have found ways to get their infected websites highly ranked by Google when you execute a normal, innocent query. We know that you’re likely to get infected when you look for keygens or cracks, but not when you’re searching for a local dentist.

My Search Engine Optimisation knowledge is very limited, I cannot explain you how they got their sites top listed by Google. According to joy, it has something to do with the fake Google result page they host (see the movie).

The movie is hosted here on YouTube, and you can find a hires version (XviD) here.

First I show that there’s no service32.exe file in the c:\windows directory. You can see that I’m running as local admin, which is a bad idea, but please bear with me.

Next I search for my heating technician with Google and click on the first link (you’ll notice the strange URL of the .info TLD with random subdomains).

The free Kerio Personal Firewall alerts me of programs (spywares) that are being started. I installed the firewall to visualize the infection in action. And I’m feeling stupid today, so I click on Permit.

Notice that the page looks like a Google search result page, but that all entries point to .info sites that are probably also drive-by download sites.

There’s a half minute of inactivity after 1:30 minutes, be patient and you’ll see other programs being started and the service32.exe file appearing in the Windows directory.

Finally, I go to the Virustotal site to get some files scanned by 20+ virus scanners. This part of the movie is rather boring, but I didn’t want to spend much time editing it, feel free to fast forward. The point is that most virus scanners don’t detect the infected files.

I also used Lavasoft’s Ad-Aware SE Personal (freeware) anti-spyware program to scan the machine: no files were detected.

It should be interesting to know how prevalent these sites are in Google query results.


  1. Well, I use a sexier operating system than Windows, so I would imagine that is why I didn’t see any infection.

    Also, I started seeing these pages back in June 06, so I suspect whoever was behind this was tracking traffic back then, not necessarily infecting people.

    Comment by joy — Saturday 7 October 2006 @ 14:04

  2. I also noticed that about 90% of pages contain an iframe that cause the infection, the other 10% don’t.

    Comment by Didier Stevens — Saturday 7 October 2006 @ 14:40

  3. Yeah, did you look to see if that iframe is referring back or has anything to do with clearsearch.info?

    Also, how these guys are getting to the top of google is simple. They are using keyword stuffing (just as it sounds, a lot of keywords) and many hidden links (check the bottom of these info pages – hundreds of links found) for products or services that don’t have a large number of results.

    So, out of their crude attempts at keyword stuffing, they get to the top of the google result with their mocked up infected “search” result page.

    Comment by joy — Saturday 7 October 2006 @ 20:06

  4. There’s another iframe linking to cleansearch.info, the one I’m talking about links to an Ukranian IP address.

    I’m preparing a new post about this, I’ll e-mail you with preliminary research data.

    Comment by Didier Stevens — Saturday 7 October 2006 @ 20:25

  5. […] This is an unexpected result of my post Google and the Drive-by Download: […]

    Pingback by Update 2: Google and the Drive-by Download « Didier Stevens — Thursday 12 October 2006 @ 19:44

  6. […] Still wondering how likely is it to land on a drive-by download page when doing a (Google) search, I analyzed the infamous AOL search data to try to answer this question. […]

    Pingback by Spamdexing “R” Us « Didier Stevens — Monday 23 October 2006 @ 10:17

  7. […] A few days ago I Googled again for Vanderelst Chauffagiste (Google and the Drive-by Download), I noticed the Spamdexing “R” Us site has disappeared from the SERPs. But it still exists. […]

    Pingback by Update 3: Google and the Drive-by Download « Didier Stevens — Sunday 19 November 2006 @ 9:18

  8. Dear Mr Stevens,

    How come someone so smart about reverse-engineering is not so wise about firewalling and ad blocking? That totally blows me away.

    Funny thing is I found this thread from http://www.astalavista.com/index.php?section=directory&cmd=detail&id=6972 this thread.

    And didn’t expect to see something like this. Out of respect for what you do, I highly suggest some basic tcpip understanding, and an external firewall like ipcop along with ad block plus, kerio, or any other proxy / ad blocking methods that fit your fancy.

    My only real CRITIQUE here is I hate to see someone say, “1. Start Internet Explorer.” WRONG.

    DON’T RUN iexplorer.exe in fact RENAME IT to iexplorer.e (If you have to run it for a BANK of WHATEVER rename it again)

    Now my Value add to the discussion.
    I ain’t no expert on security but it you want your windows box to run longer than 4 years.

    Personally, I do ipcop externally dedicated. With URL Filter, Banish (with some serious fsckin blacklists), and a couple little personally hacked up codes for it.

    Windows Boxes: kerio (The FULL ONE not the FREE ONE), then filter out with the ad block. ztree is “the shit” for tracking down bad files/virus’s and code (I use it instead of a virus scanner) Okay, sometimes I run ewido…
    Sometimes I whip out some strange shit like proximotron. Sometimes others, sometimes wget only. Spampal+TheBat html=OFF (Files are backed up all the time)
    note: To all the *NIX freaks, There is a reason to run windows boxes! VIDEO PRODUCTION! cinelerra sux

    Linux Boxes: iptables + adblock + nice backup of the OS (I could care less about files, I burn disks all the time) midnight commander “mc” is the equal of ztree on linux. (fact there’s a mc for windows out there too, nice for drive to drive grafting.)

    Got an linux extra box? Add a syslog, and etherape window. Boom your now kicking your home network’s ass!

    Okay, hope you didn’t take this wrong. The more I read the thread here, the more I realized I don’t SEE Google Drive-By’s, they’re blocked or something. (I actually had to load that jpg3 or whatever to see what you were talking about) I analyze the network and my files probably too much, but I also keep my shit running for years not days then reformat.

    One thing I been looking for is a full windows XP registry backup. No utility I have seen yet does that. The closest I come to that is Doing an Acronis True Image of the whole drive to drive. It’s far more important to be able to track down things than worry about blocking the latest unknown problem, in my opinion. Problems are going to happen, how you can deal with it is what matters.

    Sorry if I was wordy, and too chickenshit to post a real name / real handle, I probably typed this crap up in vain.

    Comment by anonymous — Tuesday 5 December 2006 @ 5:41

  9. I wrote “I’ve encountered …”, this doesn’t imply I got bitten by this 😉

    Comment by Didier Stevens — Tuesday 5 December 2006 @ 10:12

  10. […] there is a good short introduction for “non-techies” here. And here’s a report showing how easy it is to get infected if you don’t pay attention properly, just by googling for a plumber and clicking on one of the results […]

    Pingback by Keys Corner » Blog Archive » One in 10 websites malicious — Friday 11 May 2007 @ 21:01

  11. Just a heads-up, the upload of service32.exe to Virustotal seems to have failed — the filesize is 0 and indeed d41d8cd98f00b204e9800998ecf8427e is the MD5 hash of the empy string 🙂

    Comment by Alex B — Monday 25 June 2007 @ 8:28

  12. […] Stevens in his post Google and the Drive-by Download takes you step by step through the process of getting infected by a Drive-by […]

    Pingback by videomarketingcoach.com » A thousand pictures creates a story of a billion words — Wednesday 18 July 2007 @ 14:00

  13. view

    Comment by Fellitmon — Wednesday 24 October 2007 @ 1:22

  14. Hi.
    Good design, who make it?

    Comment by naisioxerloro — Wednesday 28 November 2007 @ 15:42

  15. Made what?

    Comment by Didier Stevens — Wednesday 28 November 2007 @ 21:23

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.