|
|
|
|
|
A New Worm Attacks GoogleP2Load.A |
By Tudor Raiciu, Technology and Science Editor
17th of September 2005, 10:24 GMT
Adjust text size:  
|
| |
A new worm, masquerading as a free version of the Lucasfilm game Knights of the Old Republic II, is capable to redirect people form Google to a look-alike site.
P2Load.A, discovered by PandaLabs, is being spread on P-to-P (peer-to-peer) programs like Shareaza and Imesh, says Forrest Clark, senior manager of consumer product marketing with antivirus vendor Panda Software.
P2Load.A first began spreading on Wednesday and is most widely spread in the United States and Chile, Clark says.
One of the main actions of this worm is that it replaces the hosts file on affected computers with a file downloaded from a website, which has now been shut down by Panda Labs. Now that this web page has
been shut down, the danger level of this worm has been significantly reduced.
By modifying the hosts file, when the users try to access Google, they are redirected to a page that is exactly the same as Google, but not controlled by the company, which is hosted in a server in Germany. When users run a search, the results returned include sponsored links which have been created by the creator of this malware, generating increased traffic to these websites.
The fact that it modifies the HOSTS file by replacing the original with a file downloaded from a remote website instead of being included in the worm's code means that it could spoof other popular websites by simply changing the content of the file downloaded and even use other phishing techniques against other websites.
The page appears to be a working copy of the Google search engine that gives nearly identical search results. But the sponsored links are different, Clark says. "What they're doing is replacing all of the AdWords ads with fake ads, and they're selectively changing some of the search results," he explains.
Even users who mistype the www.google.com address are redirected to the fake site, which also supports the same range of languages as Google.com. This redirection is achieved by modifying the hosts file in the infected computer's operating system, which is a kind of address book used to quickly connect the browser to Web sites.
By changing this file, the worm's authors could spoof other popular Web sites and possibly modify this attack for phishing, Clark says.
"The creator of this worm has taken advantage of the importance of a company appearing among the first few links in the search results of an Internet browser," said Luis Corrons, director of PandaLabs, in a statement. "Its aims are none other than to increase visits to the pages linked by the creator of this malware or earn an income from companies that want to appear in the first few results in computer where the identity of Google has been spoofed…in both case, the motivation of the author of this malware is purely financial
|
|
| Rating: |
|
Fair (2.8/5) |
6 vote(s) so far |
|
|
|
|
User opinions: |
 No user comments yet.  Be the first to express your opinion using the form below! |
|
|
