Beginning on November 24 and continuing for less than a week, bad guys loaded up more than 40,000 Web pages with malicious software and thousands of common search terms. They then employed an automated network of malware-infected botnet computers to link to those sites in blog-comment spam and other places. The mentions elevated the position of the poisoned sites in search results, often to the first page.
The malicious sites had no useful information. Instead, a simple click on a link to such a site in the search results was enough to launch attacks against your PC. If the attack found any of a number of vulnerabilities in a range of programs, it would load.
"This was a massive wave," says Alex Eckelberry, president and CEO of security firm Sunbelt Software. The attack marks a new level of sophistication, using multiple techniques to raise site visibility in search results and deliver malware to a mass audience.
Sunbelt researcher Adam Thomas happened upon the attack when he ran a search of "netgear ProSafe DD-WRT" for router firmware. His trained eye saw a suspicious-looking result on the first page. More research and digging on other phrases turned up the vast array of attack sites.
None of the sites from this wave, or a smaller follow-up group, appear now on Google, and Eckelberry and other experts believe the search giant has blocked those specific domains. But Google isn't saying what it did to stop this attack, or whether measures are in place to halt a recurrence.
This massive attack had three notable features that point to the sophistication and planning behind it. The first is the culprits' use of botnets to push a dark form of SEO (search-engine optimisation), called a "Google bomb," to boost their sites' Google rankings.
"They did an extraordinary job optimising the search results using the bots," Eckelberry says.
"[This trick was a] way of flipping the finger at Google," says Eckelberry. Experts don't know the motive behind directing the attacks at Google users, but online crooks have targetted specific sites and companies in the past when they felt threatened. Google recently launched an online form for reporting a site that Web users believe might contain malware.