Scammers are taking advantage of the huge interest in the impending "activation" of the Conficker superworm by poisoning search engine results. News emerged on Monday that sysadmins could use network scanning tools such as Nmap to search for PCs infected by Downad/Conficker. Within hours searches for Nmap and Conficker were …
Sic transit gloria Google
"Security tools firms advise users searching for malware removal tools to follow links from the site of their vendor of choice rather relying on search engines."
Heehee, I bet they don't like that at the chocolate factory... :-) What's that outside the win1""a/&NO CARRIER
Could it be that the purpose of Conficker/W32.Downadup was for this kind of thing ... panic people into searching for removal tools , info , etc and infect their machine with other malicious software when they click on their links ?
or maybe ... a big April Fools from some spotty russian kid swigging vodka in his mums/KGB overlords basement
why bother doing this
if they are that good at seo why dont they just get a proper job !
"the sites promoted through the scam were only registered on Monday."
Unless they are using AdWords (which a few searches tells me apparently not). I'd really like to know how they get their newly registered sites in the search results ranked so high so quickly.
Doh!! Press statements
"Security tools firms advise users searching for malware removal tools to follow links from the site of their vendor of choice rather relying on search engines"
No, Marketing/press types have said this. The People who know what there talking about wouldn't make this statement, because the conficker virus intercepts the DNS API and blocks access to Mcafee, Symantec etc. So you can't get to your vendor of choice.
it is not just that
there is also the chance that the scans will return too many false positives, it was all rushed so people could grab headlines.
The road to hell paved with good intention.
The problem as always is money and the users.
What this scan will actually achieve is probably quite minimal, the example given was someone with thousands of machines having to work out if they are infected or not, well you don't need a scanner for that.
i. You are running windows so you are obviously clueless and just assume you probably are penetrated, at least feel the fear.
ii. You haven't patched a windows box for yonks, those will be compromised.
iii. If you cannot be arsed to write your own scanner for the thousands of machines under your control please leave IT there is no place for you, you are a twat dangler.
iv. The paranoid ones who do patch but run windows, oh there will be a few, you are probably not compromised but get the wrong scanner or hey even get the right one, and you maybe compromised or in false positive land.
The above could have been written in 'I heart the system jerk speak', and should have been, so people realised what a futile attempt the scan would be. But, at heart most 'security guys' want to be crackers, there is no getting away from that, and if you think like a cracker then your security solutions won't work as security solutions, they will work as a crack.
What's this page exploiting?
Here's one I ran into on 3/30, while searching for more info on Nmap changes to perform conficker scans. It's an abandoned blog (last updated in 2006), that was seeded to rank high on an 'nmap' term search, among others. It also has a reference to pistachio recall news, so it's being updated very quickly. Just can't figure out what angle it's exploiting.
** CAUTION ** I can't guarantee this site isn't malicious or otherwise attempting to harm visitors:
It's probably a hacked blog used for linkspamming. Not checking the site though, with noscript and linux, you still never know ;)
Channel 4 news says...
Conficker could attack well known sites or it could do nothing.
Thanks guys, my gran says it might kill her cat or send an endless stream of Portuguese gigolos round to her house.