Google Toolbar Scam Exposed

This was first blogged about by Chris Boyd, aka Paperghost:

They whacked Google!

Full Read @ Vitalsecurity.org

Shortly after, Sunbelt blogged it:

Full Read @ Sunbelt blog

Now, comes the real breakdown and detailed analysis from SpywareGuide and Chris:

The Rogue Google Toolbar: History and Variants
by Christopher Boyd, Security Research Manager, FaceTime Security Labs


Introduction

There is currently a browser hijacker in circulation which installs a fake Google Toolbar, hijacking the HOSTS file to redirect most Google domains and placing a homepage hijacker in the Temporary Internet Files folder, from which an Internet Explorer based search engine claims to be powered by Google. The bundle also includes a rogue antispyware tool, called “World Antispy”.

However – this attack, viewed out of context, does not build up a sufficient picture of the tactics / techniques used by the group responsible for the install. A press release by Panda Antivirus has covered the main features of this install here, and they had previously discovered an earlier version of this hijacker in April. Sunbelt Software also found a variant some weeks ago. But the group behind this has actually been trying to exploit Google since 2003.

Through systematic research, Facetime Security Labs have found that there are three distinct versions of this attack, each one exploiting different security vulnerabilities and installing a different payload. Here is a HJT log from September 14th, 2003. Note the Google HOSTS file hijack. Here is a discussion thread that contains the same HOSTS file hijack, from even further back – July 9th, 2003. Finally, here is one more discussion of this infection technique from September 26th, 2003.

Full Read @ SpywareGuide

Related Article @ SpywareGuide

 

Is the same happening to MSN?
Set home page to MSN uk.
Leave Hotmail and get redirected to MSN america!
Reset home page etc etc