Italian Jooob – fake Google site spreads malware

Hot on the heels of hackers piggybacking on the sponsored links program, the Google brand is once again the target of malware. Visitors to the domain may be given the impression the site is merely a mirror of the Google search page, localised to Italy:

gooogle dot bz search page

If the URL is not enough to trigger suspicion, then a closer inspection of the source reveals something more sinister:

The binary in question is detected proactively by Sophos as Mal/Behav-031 (no other competitors detect). Interestingly, the malicious domain hosting this threat has been seen before – back in Nov 2006 (Troj/LowZone-DQ, a Trojan which lowered the security settings for IE, trusting various domains, including this one!).

The SERT.EXE is a Nullsoft installer that drops two files. One a Registry source file, to add a new trusted published, the other, a Win32 Trojan (this is the file that triggers the Mal/Behav-031 detection). Once run, a further binary is also downloaded (lowers security settings for IE).

And the aim of this malicious attack? The motivation appears to be driving traffic to certain sites. (Given the number of sites added to the trusted site list, the scope of this attack could in fact be quite broad, depending upon the content served up by any of these sites.) Queries from users who have obviously been affected by this attack can be found in several Italian IT forums. Seems to be related to ‘linkpal dot biz’ project:

Linkpal dot biz homepage

This case is a good example of how your chosen security solution should provide a broad level of protection – including detection of malicious files, firewalling, blocking access to malicious URLs. A good mechanism of identifying potentially malicious URLs is also critical (in this case data was available to block the malicious domain back in Nov 2006).