| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 21 Dec 2009 20:24:30 +1100
From: Jeff Williams <jeffwillis30@...il.com>
To: MustLive <mustlive@...security.com.ua>, full-disclosure@...ts.grok.org.uk
Subject: Re: Infected google.com,
yahoo.com and blogspot.com
Dear MustDie,
Have you ever thought about suicide ?
2009/12/21 MustLive <mustlive@...security.com.ua>
> Hello participants of Full-Disclosure.
>
> Let's talk about infected sites of Google and Yahoo.
>
> As I wrote yesterday in my post Infected google.com, yahoo.com and
> blogspot.com (http://websecurity.com.ua/3786/), web sites of Google and
> Yahoo were infected over the last 90 days. All mentioned quotes (from
> Google's site) are at state of yesterday (19.12.2009) and you can see
> current state of these sites by provided links. Google updates their data
> regularly.
>
> When I found possibility to use Safe Browsing from Google
> (http://websecurity.com.ua/3785/) for checking of the sites for
> infectiousness, at first I made diagnostic of few popular web sites. And
> I've got very interesting results ;-).
>
> Among the first sites checked by me were google.com, yahoo.com and
> blogspot.com, which were found infected over the last 90 days. That
> blogspot.com (it's one of domains of Google's service Blogger) was found
> infected didn't surprise me, because last year I wrote about that this site
> of Google was using for malware spreading (http://websecurity.com.ua/2310/
> )
> (according to data of Sophos), but that google.com itself was infected and
> also yahoo.com, it's already a news.
>
> Google Safe Browsing diagnostic page for google.com
> (http://google.com/safebrowsing/diagnostic?site=google.com) is informing
> about (quote):
>
> This site is not currently listed as suspicious.
>
> Part of this site was listed for suspicious activity 1 time(s) over the
> past 90 days.
>
> And also (quote):
>
> Of the 70146 pages we tested on the site over the past 90 days, 4
> page(s) resulted in malicious software being downloaded and installed
> without user consent. The last time Google visited this site was on
> 2009-12-19, and the last time suspicious content was found on this site was
> on 2009-12-16.
>
> Malicious software includes 7 scripting exploit(s), 1 trojan(s).
> Successful infection resulted in an average of 1 new process(es) on the
> target machine.
>
> Also information about that malicious software is hosted on 14 domains,
> that
> 7 domains appear to be functioning as intermediaries for distributing
> malware to visitors of this site, and also (quote):
>
> Over the past 90 days, google.com appeared to function as an
> intermediary for the infection of 10 site(s)
>
> So Google's site was infected recently (16.12.2009). After that it was
> cleared from infection, but the fact remains.
>
> Thus Information Leakage at this service of Google leaded to leakage of
> information about infectiousness of own site. This is such humor of Google
> -
> to disclose information about infectiousness of own sites :-). From other
> side - it's good that Google honestly admit it.
>
> Google Safe Browsing diagnostic page for yahoo.com
> (http://google.com/safebrowsing/diagnostic?site=yahoo.com) is informing
> about (quote):
>
> This site is not currently listed as suspicious.
>
> Part of this site was listed for suspicious activity 2 time(s) over the
> past 90 days.
>
> And also (quote):
>
> Of the 17710 pages we tested on the site over the past 90 days, 15
> page(s) resulted in malicious software being downloaded and installed
> without user consent. The last time Google visited this site was on
> 2009-12-19, and the last time suspicious content was found on this site was
> on 2009-12-13.
>
> Malicious software includes 113 scripting exploit(s), 58 trojan(s), 8
> exploit(s). Successful infection resulted in an average of 2 new
> process(es)
> on the target machine.
>
> Also information about that malicious software is hosted on 25 domains,
> that
> 13 domains appear to be functioning as intermediaries for distributing
> malware to visitors of this site.
>
> Evidently Yahoo followed the path of Google.
>
> Google Safe Browsing diagnostic page for blogspot.com
> (http://google.com/safebrowsing/diagnostic?site=blogspot.com) is informing
> about (quote):
>
> This site is not currently listed as suspicious.
>
> Part of this site was listed for suspicious activity 462 time(s) over
> the past 90 days.
>
> And also (quote):
>
> Of the 2112321 pages we tested on the site over the past 90 days, 19127
> page(s) resulted in malicious software being downloaded and installed
> without user consent. The last time Google visited this site was on
> 2009-12-19, and the last time suspicious content was found on this site was
> on 2009-12-19.
>
> Malicious software includes 21423 worm(s), 11635 trojan(s), 3186
> scripting exploit(s). Successful infection resulted in an average of 16 new
> process(es) on the target machine.
>
> Also information about that malicious software is hosted on 3825 domains,
> that 1592 domains appear to be functioning as intermediaries for
> distributing malware to visitors of this site, and also (quote):
>
> Over the past 90 days, blogspot.com appeared to function as an
> intermediary for the infection of 23 site(s) including euroddl.com/,
> alfawarez.com/, ddlspot.com/.
>
> And also (quote):
>
> Yes, this site has hosted malicious software over the past 90 days. It
> infected 9 domain(s), including tisuituputih.blogspot.com/,
> enfermagemsu.blogspot.com/, elltoro.com/.
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists