Avalanche Virus found in google

This article write by: Bogdan Popa, Security and Search Engines Edito, softpedia.com

It has already been known the fact that most spammers and scammers attempt to get a higher Google PageRank in order to attract more visitors searching for popular keywords and infecting their computers.

But, today's report is one of the most dangerous attacks I've ever seen. Let's get straight to the story: a S&M blogger decided to search the web with Google, looking for the webpages that included links to his page. "I do this periodically, because it's always fun to see how many sites are linking to me", he wrote on this blog.

But, searching for his name returned some unexpected results: thousands of websites infected with some sort of virus that attempted to deploy
files on vulnerable computers. All of them were spam webpages, full with all kinds of words that might be typed by a visitor in the Google search box. We've seen this in the past, so nothing new, yet.

But (yeah, I know, there's always a but, old story), there's something that might surprise you: it appears that those spam websites are only available when the visitors attempt to load them from the Google search results! Clicking on links from other websites or entering the URL in the address bar gives a 404 Not Found error to all the users! So, where's the trick? Well, it may seem the attackers attempt to make their spam pages more difficult to be spotted and this is a pretty smart way to do that.

And one more thing: all the spam websites found on Google are hosted by the same company: Ipower. Yep, that's right, the same web hosting provider that came in trouble with StopBadware.org, after numerous infected sites were hosted by the company. Ipower representatives told The Register that most of the dangerous results have already been cleaned, but I'm still able to find some spam results.

I decided to do some researches and here's what I found. After looking among the first three Google result pages provided for the "franklin veaux" search query, I managed to find an infected page. Keep in mind that using the said keyword might lead you to dangerous websites and harm your computer. So, I found such a website and clicked on it. Just like many other malicious websites, it attempted to load a video and informed me that an ActiveX Control is required in order to view it. Classic! I clicked on 'Continue' and downloaded it.

The file was named "install_video_3912960.exe" and had 173 KB. I was pretty amazed to notice that Kaspersky didn't find any infection inside the executable file, so I decided to scan with some other antiviruses. And...SURPRISE! Ikarus flagged the file as a Trojan – Trojan-Downloader.Win32.Delf.cwv. Sophos Antivirus (one of the security solutions which managed to get impressive results at the recent antivirus tests) found the executable file to be a Mal/DelpDldr-E infection. In addition, VBA32 said it is actually Win32.Trojan.Downloader. All of these are actually aliases of the same fake codec, found on numerous pages. The Trojan horse is used to deploy additional infections on a vulnerable system.

So, just avoid visiting suspect websites found on Google that might deploy infections on your system. I'm sure the folks at the Mountain View company will remove them as soon as possible, so keep an eye on the news to find out what happens.