Botnet caught red handed stealing from Google
A recently discovered botnet has been caught siphoning ad revenue away from Google, Yahoo! and Bing and funneling it to smaller networks. According to researchers at Click Forensics, computers that are part of the so-called Bahama Botnet are infected with malware that sends them to counterfeit search pages instead of the real …
...someone will start to do something concrete, instead of wringing their hands and proposing draconian snooping regimes.
so all the searches appear to come from 1 IP Address? but google block IP Addresses making too many searches... (not sure about the others, but i assume they do too)
makes it kind of easy to block even if the traffic is below the threshold for automatic blocking - why don't they modify the page on the client instead to avoid that problem?
If you are in a botnet? F'ning windose is downloading an super important patch, i mean update no its adverts! As well as Adobe screwing with my flash environmen. Then I have some dumbass program that thinks it constantly needs updating or outhorizing. I cant tell good communication from bad, or control it. They deserve what happens.
It's quite simple what you do, turn off automatic updates and install a firewall and only allows programs that need internet acces to work to access the internet i.e. browser and email.
What? Who's someone? What will they do? Probably propose draconian snooping regimes?
As I understand it, all searches on compromised machines go through the one IP address, but that doesn't mean that that same IP address has to be the one that makes the queries to Google. Could be a multi-homed machine, could use proxies. Could even route the requests back through infected machines, for all that.
Are you even sure, though, that Google actually implements the system you're talking about? How would it handle large networks behind NAT gateways and IP address changes to said gateways?
No they are only controlled via that I.P all searches will still show from individual I.P address's that are already compromised by that bot.
To be honest this isnt anything new, search result hijacking is one of the newer methods of making money as the scareware industry starts losing a bit of steam.
I use a software firewall on My PC. I let nothing out unless I know exactly what it is and why it is connecting. I disable the running of any and all auto-update agents(Except Avast my AV program). I update everything manually from the developers website. More work yes. Secure? I don't know, there are a lot of people out there far smarter than I. At least I give myself the illusion of control and security. As an added measure I will, if I suspect something nefarious, connect my box to the internet via Honeywall and sniff every single packet during start up and the first 5 or so minutes of runtime, I check every IP address windoze connects to and inside each packet that passes that I haven't initiated. I can see the LED's on my switch, any random activity on the port connected to my router also raises my suspicions.
Paranoid maybe... My last infection was the Saddam virus on my Amiga.
Of course I only do this for my XP install. My OpenBSD and Ubuntu machines, up until now, allow me to sleep like a baby. I would expect that to change WHEN Linux becomes the dominant OS.
Oh they do it all right, the company I work for decided to consolidate all it's European proxy traffic through a host in Germany.
Most lunchtimes you get caught by a CAPTCHA, and our internal helpdesk gets hit with calls that the internets are broked.
There is also the constant complaint by the same users that the results page comes up as google.de rather than .com
"I check every IP address windoze connects to and inside each packet that passes that I haven't initiated"
Well you my friend certainly aren't going to have a problem. But those souls whose Hotmail accounts have a password of 123456 are the botnet's target.
We'll have to see.
Up until now, botnets have only been annoying users and people who run gambling sites.
Now that the Big Lads are getting their pockets picked, I suspect we'll find out...
In the video, it looked interesting.
Sign up, sign up for The Register's weekly IT security newsletter - click here
