main

Worm creates fake Google site

Howard   on 19 September 2005 - 21:50 · 27 comments & 8132 views

Advertisement (Why?)
A worm that modifies a user's HOSTS file to redirect visitors of Google.com to a spoof website has been discovered. The worm was found by Panda Labs and is currently circulating on P2P networks Shareaza and Imesh. It is masquerading as an executable of popular Star Wars game Knights Of The Old Republic 2.

If infected, several Google domain names will be redirected to an unofficial German version of the search engine. Although the site looks identical to the original, the results have been modified in such a way that certain companies will gain an unfair higher ranking, and therefore will appear at the top of search results.

Luis Corrons, director of Panda Labs said: "Its aims are to increase visits to the pages linked by the creator of this malware, or to earn an income from companies that want to appear in the first few results in computer where the identity of Google has been spoofed. In both cases, the motivation of the author of this malware is purely financial."

View: Google
News source: vnunet.com


Version 0.9.9 is a major milestone release of Kapsules.

Kapsules has seen a lot of changes since the last version. The Widget Settings, Window and main Configuration dialogs were completely redesigned and new controls were added to make changing settings a breeze. Special attention was paid to widget developers and nearly every request from developers for new widget capabilities and features were implemented. Several widget-authoring aspects were completely redone from the ground up. Once again resource use and speed was paid special attention. More assistance and support for scripting languages were added to make use of the widgets, which use these alternative languages easier for users.

Post a comment · Send to friend Comments · There are 27 additional comments
(2 replies) #1 narshornsyst on 19 Sep 2005 - 22:05
Whow . Terrific
#1.1 shao on 20 Sep 2005 - 07:50
this technique of adding host entries or winsock lsp's to redirect to sites which spam affiliate programs is nothing new. get yourself something that monitors changes to these files and you'll be a lot safer if you insist on visiting the seedy side of the net.
#1.2 Colonel_Angus on 20 Sep 2005 - 12:23
QUOTE
get yourself something that monitors changes to these files

Or you could just use an account that doesn't have write permissions to you hosts file.

(3 replies) #2 hotdog963al on 19 Sep 2005 - 22:14
Lesson:
Don't use P2P to Pirate games.
#2.1 xpgeek on 19 Sep 2005 - 23:32
Yea use B** T******
#2.2 Jugalator on 20 Sep 2005 - 06:45
So that's not P2P now?
#2.3 shao on 20 Sep 2005 - 07:46
you use bum teasing? ewww

(2 replies) #3 Richardo on 19 Sep 2005 - 22:19
Most stuff like this is <1mb. A whole dvd-sized game for 1mb, yet people will download it.
#3.1 th3 pla6u3 on 19 Sep 2005 - 22:54
it could be posing as a No-CD crack, key file, or keygen. but i dont know waht any of thouse things are, becuase i dont use them, or do I download games.
#3.2 itaniumpower on 19 Sep 2005 - 23:09
yea, they think its a good deal, 4.7gb packed to <1mb...
why the hell they use p2p networks for cracks and such?!
#4 el__sid on 19 Sep 2005 - 22:28
That's incredibly unfair on the part of the P2P programs

I can't speak for Imesh, but as for Shareaza, Shareaza is an Open-Source P2P program that connects to The Gnutella 1 and 2 networks and Edonkey. That means that user's of Limewire, bearshare, Emule and many others are at risk of getting it as well as Shareaza.

Don't mean to sound hateful, but it is a little unfair on the part of those working the Shareaza program.

- el__sid
(1 reply) #5 weenur on 19 Sep 2005 - 22:38
Why anyone would download that game is beyond me. It's such a piece of crap.
#5.1 sinatosk on 20 Sep 2005 - 07:49
because everyone has their own opinion
(2 replies) #6 Hoff1630 on 19 Sep 2005 - 22:51
Shareaza sucks anyway! Limewire finds more, believe me ive tried, i searched for the same thing and Limewire found more... and i agree with Richardo and hotdog963al!
#6.1 th3 pla6u3 on 19 Sep 2005 - 22:54
the only reason shareazza takes longer is becuase its search is mroe comprensive. (sorry for the spelling )
#6.2 mzhao on 20 Sep 2005 - 00:10
Have you tried searching for "limewire" on both and comparing the results?
(1 reply) #7 Syphonic on 20 Sep 2005 - 00:07
As someone else pointed out...Shareaza isn't a network anyway...it uses the gnutella and edonkey networks.

Like 90%* of security vulnerabilities, I think they should start writing at the bottom: This vulnerability effects all morons currently using the Windows 2000/XP/2003 Operating Systems. Intelligent users of Windows 2000/XP/2003 will be fine.'

* Figure exaggerated for effect.
#7.1 itaniumpower on 20 Sep 2005 - 03:12
I agree.

Its all about windows being so easy to use. If it wasn't, morons could not do stuff AND there would be NO target for those virus (at least not many)
Isn't it affects ?
#8 Dirtie on 20 Sep 2005 - 00:38
Shiver me timbers! 'Tis what the scurvy dogs deserve for d'loading the illegal booty!
(1 reply) #9 IGx89 on 20 Sep 2005 - 00:44
How come it's called a worm and not a virus? Don't virii require user interaction and worms don't? By that definition, this would be a virus.

And, why is this front-page news? Are there that many people who download KOTOR2, let alone now after it's been out for ages, and only on two P2P programs...
#9.1 Jugalator on 20 Sep 2005 - 06:46
It's also not exactly the only virus infected thing you may find on large P2P networks.
(1 reply) #10 jivemastert on 20 Sep 2005 - 03:00
anyone using ms antispyware doesnt need to worry... it will be like "yo man! wtf! something is modifying your hosts file! what you wanna do? should i beat it in the face? you wanna cock slap it?"
#10.1 SquareSoft0 on 20 Sep 2005 - 06:59
And then you be like, shiiiiii, that virus be struttin' it's stuff on my turf? I bust a cap in its class, know what I'm sayin'?
#11 vet[NFC]Wave on 20 Sep 2005 - 07:43
So far things have been borderline, but just remember:

No Warez (links) & Cracks.
Help, requests or posts that discuss circumvention. This includes linking to illegally obtained software, movies & music files - posting about it, and suggesting to get it.
#12 leesmithg on 20 Sep 2005 - 07:55
Should not be too hard to trace the author then.
(1 reply) #13 King Rilian on 20 Sep 2005 - 14:52
So, what you're saying is that it doesn't create a fake Google site. It just points users to a fake Google site. HUGE difference. I clicked on this thinking, "Whoa, I bet Google feels embarrassed," when, in fact, it has nothing to do with them.
#13.1 Howard on 20 Sep 2005 - 18:20
Don't shoot the messenger. That's vnunet.com's headline

Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!

Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.

Advertisement (Why?)