Am I experiencing something, or is a site a victim...

Discussion in 'malware problems & news' started by Lovecraft, Jan 9, 2009.

Thread Status:
Not open for further replies.
  1. Lovecraft

    Lovecraft Registered Member

    Joined:
    Mar 7, 2008
    Posts:
    13
    ...of some sort of DNS hijack?

    I wanted to remind myself of the link to the e-book reader Ubook, so obviously I typed it into Google. The first result is its official page, www.gowerpoint.com. However, if I click that, a random page, usually of a fake "virus scanner" or a Russian pseudo-porn site opens. The same happens with YahooSearch results. Curiously, if I disable referer, the page that opens seems to be the actual Gowerpoint.com.

    Is anyone else experiencing this, meaning that (I assume) gowerpoint.com is a victim of some sort of URL hijacking attempt, or is there (gulp) something lurking on my system...? (Rootkit scans show nothing, the browser - Firefox - is in a sandbox)
     
  2. Lovecraft

    Lovecraft Registered Member

    Joined:
    Mar 7, 2008
    Posts:
    13
    Curiously, too, clicking the www.gowerpoint.com link in the above message seems to open the proper page. The bad pages seem to only open from Google & Yahoo. I've tried several other terms to see if it's me after all, but all other searches open the proper target pages... only "ubook" results in the bizarre fake link.
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Can you post a screen shot of the search page?

    thanks,

    ----
    rich
     
  4. Lovecraft

    Lovecraft Registered Member

    Joined:
    Mar 7, 2008
    Posts:
    13
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Could you post a larger image?

    Meanwhile, that site does not load here from Google nor Yahoo if I enable refererrer logging.

    ----
    rich
     
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    OK, thanks.

    See this article, where the Google page is injected with bogus URLs. This doesn't seem to be related to your situation.

    Troublesome Google hijacking - redirects results through 7.7.7.0
    http://madmarvonline.com/blog/2009/...gle-hijacking-redirects-results-through-7770/

    Since the page no longer loads from the search engine with referrer logging enabled, a good guess is that the russian site is not working.

    But not enough information is available to determine if this is related to the old Goggle referrer exploit.

    ----
    rich
     
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    The exploit is now working again from Google. With the firewall set to alert, we can follow the steps.

    First, the connection out to gowerpoint.com:

    ubook-1.gif

    ubook-5.gif

    Then the first redirect to a russian site. Note that gowerpoint.com still shows in the status bar>

    UBOOK-2.gif

    Now, another redirect:

    ubook-3.gif

    And finally to the bogus antivirus site:

    ubook-4.gif

    This is a classic Referrer exploit and the webmaster for gowerpoint.com needs to be notified.

    ----
    rich
     
  8. Lovecraft

    Lovecraft Registered Member

    Joined:
    Mar 7, 2008
    Posts:
    13
    Ah, I was suspecting something of the sort... thanks.
     
  9. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I contacted the web site and the owner responded that he was not aware of this problem. But he has been looking for a new hosting company for a while because of some other issues, so plans to change soon.

    Some of you may remember the SloanTreeFarm exploit a while back, discovered by noway - there was a long thread on it here. The owner of the site joined in the discussion and it was finally determined that it was a problem at the hosting company.

    Evidently, as with XSS and SQL injection, there are tools that let hackers determine where vulnerabilities are. Once identified, it is rather easy to create the exploit.

    ----
    rich
     
  10. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    This exploit is being forced onto unsuspecting hosting companys as well as their customers websites are being laced with those type exploits because i have randomly run into that AV 2009 rogue page many times in the past 3 months alone without the owner knowing they been hacked with it.

    And oddly enough those creeps are targetting the highest Google ratings for maximum distribution of their sneaky garabage exploit. So be on the watch even when innocently googling because this is epedemic right now and when one website fixes it they look for others to infect.

    EASTER
     
  11. Lovecraft

    Lovecraft Registered Member

    Joined:
    Mar 7, 2008
    Posts:
    13
    I do hope a permanent solution against this is found, because the scum could easily use this method in an infinitely more dangerous way (which I better not suggest here :))...
     
Loading...
Thread Status:
Not open for further replies.