Google Video Poisoned With Malware

Dancho Danchev posted on ZDNet yesterday about 21 websites that were successfully gaming Google Video and using the service as a delivery vehicle for malware.

The whole scheme is a simple black hat concept.  The attackers are using 21 domains to host pages containing YouTube video content.  When the Google bot comes to crawl the sites, it sees the videos and ranks them in the Google search results.

This is where the magic happens.

People do a Google Video search, and receive results.  The results displayed for a certain search query are dominated by the 21 websites, ensuring the visitor will hit one of the infected websites.

When users click through to one of the 21 domains, the website detects that the referrer was coming from Google Video, and based on that redirects the visitor to a porn site.  The visitor is then told their Adobe flash is out of date and they need to download an update to see the naked girls.

Some people install the “update” which is actually  a malware infection and literally infect themselves.

Only visitors coming from Google Video get attacked.

This is one of the best cloaked attacks in history because if you later tried to browse back to the same website through a direct link or a book mark, you would see the relevant and related YouTube videos that Google sees when it indexes the website.

Normally the “well poisoning” of certain search terms in Google results can be easily detected and removed.  The fact that the site authors were cloaking their content made it more difficult to discover and analyze.

I suspect we are going to be seeing a lot of infections in my computer repair service centers over the next few days.