Google-Spoofing Worm


Del.icio.us  Digg  Google  Spurl  Blink  Furl  Y! MyWeb  
Share:
Sponsors:

Robert McMillan,

Downloaders looking for a free Star Wars game may instead find themselves installing a new worm that gives them dodgy Google search results.

The worm, called P2Load.A, is being spread on P-to-P (peer-to-peer) programs like Shareaza and Imesh, masquerading as a free version of the Lucasfilm game Knights of the Old Republic II, says Forrest Clark, senior manager of consumer product marketing with antivirus vendor Panda Software.

P2Load.A first began spreading on Wednesday and is most widely spread in the United States and Chile, Clark says.

When the software is installed, it makes changes to the computer's browser so that any user trying to access Google's search engine is instead presented with a Google look-alike page, hosted on a server in Germany.

The page appears to be a working copy of the Google search engine that gives nearly identical search results. But the sponsored links are different, Clark says. "What they're doing is replacing all of the AdWords ads with fake ads, and they're selectively changing some of the search results," he explains.

Even users who mistype the www.google.com address are redirected to the fake site, which also supports the same range of languages as Google.com. This redirection is achieved by modifying the hosts file in the infected computer's operating system, which is a kind of address book used to quickly connect the browser to Web sites.

By changing this file, the worm's authors could spoof other popular Web sites and possibly modify this attack for phishing, Clark says.

Money Maker

The P2Load.A worm seems to have been written to make money for its authors by increasing the number of visitors directed to the sites listed in the phony sponsored links results, Clark says.

Users infected with the worm will notice one other side effect: Their browser's start page will be modified to display what appears to be a shopping site.

P2Load.A affects Windows computers running either the Firefox or the Internet Explorer browsers, according to Panda.

Article submitted by: Webshark
Last Update: 11-02-2005
Category: Security

Print | E-mail


Current rating: 5.46 by 30 users
Would you recommend this article to a friend?

Not a Chance 12345678910 Absolutely

Please register or sign-in to post comments.


Related News Stories

(9,459 reads) 07-05-2008
 · Fusion Security
(15,132 reads) 06-02-2007
 · NukeSentinel(tm)2.5.10 Critical Update
(13,896 reads) 05-07-2007
 · NukeSentinel(tm) 2.5.08 Maintainance Release
(15,362 reads) 03-15-2007
 · NukeSentinel(tm) 2.5.07 Reissued: Critical Update
(13,870 reads) 03-02-2007
 · NukeSentinel(tm) 2.5.06: Critical Update
(14,620 reads) 01-23-2007
 · NukeSentinel(tm) 2.5.05 released
(14,646 reads) 12-24-2006
 · NukeSentinel 2.5.04 released
(14,376 reads) 11-03-2006
 · NukeSentinel(tm) 2.5.03 Released
(18,213 reads) 10-19-2006
 · Php Nuke 8.0 Patched
(14,604 reads) 10-01-2006
 · ipBan Modification