TELECOM Digest OnLine - Sorted: Fake Google Site Has Trojan Horse Waiting

Fake Google Site Has Trojan Horse Waiting

John E. Dunn (
Sun, 23 Jul 2006 00:04:02 -0500

by John E. Dunn,

Scammers have set up an exact copy of the download page for Google's
Toolbar plug-in in an attempt to lure users to download a Trojan

Reported by security outfit Surfcontrol, some versions of the scam
even spoof the correct Google Toolbar web address for Internet
Explorer, using Google's own redirection service in an attempt to hide
the real, non-Google address.

The Trojan itself -- W32.Ranky.FW -- is designed to turn the PC into a
bot zombie, and is spread using the conventional technique of asking
recipients of a spam e-mail to follow an embedded link.

According to Surfcontrol, the version detected by the company fails
because of poor programming of defective compilation, but it remains a
proof-of-concept in how to attack users using a simple combination of
convincing elements.

Clever Combination

Outwardly simple, the scam has a clever combination of tricks.
Although using parts of established Web sites is standard in phishing
scams, it is relatively unusual to go to the length of reproducing en
entire page precisely, in combination with a convincingly-spoofed web

The fact that the spammed e-mail appears to come from Google could
convince recipients to follow the link.

Assuming that a re-engineered version appears -- highly likely -- once
infected, users will notice nothing untoward, although their PCs will
have become part of a bot-controlled network.

Google has been attacked in similar way before. Last September,
scammers faked the Google search page itself in order to aid the
spread of a worm.

More recently, a Trojan attacked the company's adsense advertisements,
replacing them, in-browser, with fake ones on any PC infected with the

Copyright 2006 PC World Communications, Inc.

Post Followup Article Use your browser's quoting feature to quote article into reply
Go to Next message: Robert McMillan, IDG : "Search Going on for Hidden Google Malware"
Go to Previous message: Verena Dobnik: "The Great Queens Blackout Continues; No Relief in Sight"
TELECOM Digest: Home Page