T
TwistyCreek
Fake version of Google hides Trojan horse
Remarkably thorough spoof spreads via e-mail
July 21, 2006 (TechWorld.com) -- Bot-herders have set up an
exact copy of the download page for Google’s Toolbar plug-in in
an attempt to lure users to download a Trojan back door.
Reported by security outfit Surfcontrol, some versions of the
scam even spoof the correct Google Toolbar Web address for
Internet Explorer, using Google’s own redirection service in an
attempt to hide the real, non-Google address.
The Trojan itself -- W32.Ranky.FW -- is designed to turn the PC
into a bot zombie, and is spread using the conventional
technique of asking recipients of a spam email to follow an
embedded link.
According to Surfcontrol, the version detected by the company
fails because of poor programming of defective compilation, but
it remains a proof-of-concept in how to attack users using a
simple combination of convincing elements.
Outwardly simple, the scam has a clever combination of tricks.
Although using parts of established Web sites is standard in
phishing scams, it is relatively unusual to go to the length of
reproducing en entire page precisely, in combination with a
convincingly spoofed Web address.
The fact that the spammed e-mail appears to come from Google
could convince recipients to follow the link.
Assuming that a re-engineered version appears -- highly likely --
once infected, users will notice nothing untoward, although
their PCs will have become part of a bot-controlled network.
Google has been attacked in similar ways before. Last September,
scammers faked the Google search page itself in order to aid the
spread of a worm.
More recently, a Trojan attacked the company’s AdSense
advertisements, replacing them, in-browser, with fake ones on
any PC infected with the malware.
Remarkably thorough spoof spreads via e-mail
July 21, 2006 (TechWorld.com) -- Bot-herders have set up an
exact copy of the download page for Google’s Toolbar plug-in in
an attempt to lure users to download a Trojan back door.
Reported by security outfit Surfcontrol, some versions of the
scam even spoof the correct Google Toolbar Web address for
Internet Explorer, using Google’s own redirection service in an
attempt to hide the real, non-Google address.
The Trojan itself -- W32.Ranky.FW -- is designed to turn the PC
into a bot zombie, and is spread using the conventional
technique of asking recipients of a spam email to follow an
embedded link.
According to Surfcontrol, the version detected by the company
fails because of poor programming of defective compilation, but
it remains a proof-of-concept in how to attack users using a
simple combination of convincing elements.
Outwardly simple, the scam has a clever combination of tricks.
Although using parts of established Web sites is standard in
phishing scams, it is relatively unusual to go to the length of
reproducing en entire page precisely, in combination with a
convincingly spoofed Web address.
The fact that the spammed e-mail appears to come from Google
could convince recipients to follow the link.
Assuming that a re-engineered version appears -- highly likely --
once infected, users will notice nothing untoward, although
their PCs will have become part of a bot-controlled network.
Google has been attacked in similar ways before. Last September,
scammers faked the Google search page itself in order to aid the
spread of a worm.
More recently, a Trojan attacked the company’s AdSense
advertisements, replacing them, in-browser, with fake ones on
any PC infected with the malware.