lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 20 Dec 2009 21:29:04 +0200
From: "MustLive" <mustlive@...security.com.ua>
To: <full-disclosure@...ts.grok.org.uk>
Subject: Infected google.com, yahoo.com and blogspot.com

Hello participants of Full-Disclosure.

Let's talk about infected sites of Google and Yahoo.

As I wrote yesterday in my post Infected google.com, yahoo.com and
blogspot.com (http://websecurity.com.ua/3786/), web sites of Google and
Yahoo were infected over the last 90 days. All mentioned quotes (from
Google's site) are at state of yesterday (19.12.2009) and you can see
current state of these sites by provided links. Google updates their data
regularly.

When I found possibility to use Safe Browsing from Google
(http://websecurity.com.ua/3785/) for checking of the sites for
infectiousness, at first I made diagnostic of few popular web sites. And
I've got very interesting results ;-).

Among the first sites checked by me were google.com, yahoo.com and
blogspot.com, which were found infected over the last 90 days. That
blogspot.com (it's one of domains of Google's service Blogger) was found
infected didn't surprise me, because last year I wrote about that this site
of Google was using for malware spreading (http://websecurity.com.ua/2310/)
(according to data of Sophos), but that google.com itself was infected and
also yahoo.com, it's already a news.

Google Safe Browsing diagnostic page for google.com
(http://google.com/safebrowsing/diagnostic?site=google.com) is informing
about (quote):

    This site is not currently listed as suspicious.

    Part of this site was listed for suspicious activity 1 time(s) over the
past 90 days.

And also (quote):

    Of the 70146 pages we tested on the site over the past 90 days, 4
page(s) resulted in malicious software being downloaded and installed
without user consent. The last time Google visited this site was on
2009-12-19, and the last time suspicious content was found on this site was
on 2009-12-16.

    Malicious software includes 7 scripting exploit(s), 1 trojan(s).
Successful infection resulted in an average of 1 new process(es) on the
target machine.

Also information about that malicious software is hosted on 14 domains, that
7 domains appear to be functioning as intermediaries for distributing
malware to visitors of this site, and also (quote):

    Over the past 90 days, google.com appeared to function as an
intermediary for the infection of 10 site(s)

So Google's site was infected recently (16.12.2009). After that it was
cleared from infection, but the fact remains.

Thus Information Leakage at this service of Google leaded to leakage of
information about infectiousness of own site. This is such humor of Google -
to disclose information about infectiousness of own sites :-). From other
side - it's good that Google honestly admit it.

Google Safe Browsing diagnostic page for yahoo.com
(http://google.com/safebrowsing/diagnostic?site=yahoo.com) is informing
about (quote):

    This site is not currently listed as suspicious.

    Part of this site was listed for suspicious activity 2 time(s) over the
past 90 days.

And also (quote):

    Of the 17710 pages we tested on the site over the past 90 days, 15
page(s) resulted in malicious software being downloaded and installed
without user consent. The last time Google visited this site was on
2009-12-19, and the last time suspicious content was found on this site was
on 2009-12-13.

    Malicious software includes 113 scripting exploit(s), 58 trojan(s), 8
exploit(s). Successful infection resulted in an average of 2 new process(es)
on the target machine.

Also information about that malicious software is hosted on 25 domains, that
13 domains appear to be functioning as intermediaries for distributing
malware to visitors of this site.

Evidently Yahoo followed the path of Google.

Google Safe Browsing diagnostic page for blogspot.com
(http://google.com/safebrowsing/diagnostic?site=blogspot.com) is informing
about (quote):

    This site is not currently listed as suspicious.

    Part of this site was listed for suspicious activity 462 time(s) over
the past 90 days.

And also (quote):

    Of the 2112321 pages we tested on the site over the past 90 days, 19127
page(s) resulted in malicious software being downloaded and installed
without user consent. The last time Google visited this site was on
2009-12-19, and the last time suspicious content was found on this site was
on 2009-12-19.

    Malicious software includes 21423 worm(s), 11635 trojan(s), 3186
scripting exploit(s). Successful infection resulted in an average of 16 new
process(es) on the target machine.

Also information about that malicious software is hosted on 3825 domains,
that 1592 domains appear to be functioning as intermediaries for
distributing malware to visitors of this site, and also (quote):

    Over the past 90 days, blogspot.com appeared to function as an
intermediary for the infection of 23 site(s) including euroddl.com/,
alfawarez.com/, ddlspot.com/.

And also (quote):

    Yes, this site has hosted malicious software over the past 90 days. It
infected 9 domain(s), including tisuituputih.blogspot.com/,
enfermagemsu.blogspot.com/, elltoro.com/.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists