p2pnet view P2P:- Scroogle was p2pnet’s search engine for a lng time and as we said a while back, and it’d done a good job for us all.

It was an “ad-free Google search proxy which prevents the searcher’s data being stored by Google, a Firefox plugin, and tools for webmasters.”

“Was” because “We regret to announce that our Google scraper may have to be permanently retired, thanks to a change at Google”, it posted last week.

It’s still down and for now, we’re using DuckDuckGo for our own searches.

Meanwhile, new troubles have arisen, says Scroogle’s Daniel Brandt.

“Since June 24, 2010, www.scroogle.org has been visited by malware”, he says,going on ..

This has nothing to do with Google itself, as none of these visits were passed to Google. This malware continues despite the shutdown of Scroogle, and our blocking continues because we would like to identify the source. After 11 days of this, we have blocks in place for 20,000 unique IPs from all over the world. This page is a summary of what we know about how this malware behaves.

It might be nearly impossible to identify the source of this malware. Our best guess is that a fairly popular website is infected by malware, and visitors to that site trigger the fetch to Scroogle from their own computer. We suspect that nothing is displayed at all, because we tried showing an alert page for a day, and then tried redirecting to a SWF file that played a sound for a day. Now we just redirect to a one-pixel GIF.

We don’t think it is viral, and the visitor to the malware site might even have a clean computer. We are continuing to block as soon as we see this coming into Scroogle. At most, any particular IP address gets in only two quick hits before our nbbw.cgi program is able to place the block. However, even before we fine-tuned our blocking, we noticed that multiple hits from the same IP were the exception rather than the rule.

The malware is easy to detect. The URL that comes in to Scroogle always looks like this:

http://www.scroogle.org/cgi-bin/nbbw.cgi?Gw=

The user-agent always looks like this:

Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

The empty search string caused us to show our standard error page. There was no referrer. Then whatever caused them to arrive at our error page immediately fetched all links except for images on that page. We forced a 301 redirect and the malware script followed it, and proceeded to quickly fetch every link (except images and iframes) from our substituted page. We do not use JavaScript and don’t know what would happen if the page had JavaScript links.

We suspect that the perpetrator of this malware does not have the ability to stop it, and the website hosting it has no idea that their site is infected. If the perp could turn it off, he probably would have done so soon after Scroogle went down (which was due to an unrelated change at Google). We suspect that winhttp.dll may be the vehicle for this malware. It has been known to be used for malware, according to the brief research we have done. It is also possible that this user-agent is just a disguise. When we temporarily cleared our blocks, the visits from unique IPs accumulated at a rate of 210 per half hour. When we reinstalled our list of 4,000 previous bots, the accumulation slowed to 155 per half hour. Now that we are at 20,000 blocks, the accumulation continues at 70 new IPs per half hour. This behavior has been very consistent.

That’s all we know about this malware. Another thought we had is that some fairly popular site tried to insert a Scroogle search box on their site and screwed it up, or some Scroogle plugin somewhere is defective. Here are the IPs we have blocked as of July 3, and the same list sorted by country.

Google has a few hundred thousand servers, while Scroogle has six. They can put up with sites that spread malware, but out bandwidth is limited. Even if Google relents and the output=ie interface returns, this Scroogle malware problem could still be increasing at that point. Eventually it alone might shut down Scroogle.

Update 2010-07-04: One theory about what’s happening

This is about the techniques used by scareware criminals; for background, see these twoarticles from USA TODAY.

These scareware criminals try to manipulate search engine results so that certain infected websites show up well in the rankings. To put this another way, they want to drive traffic to sites that they have already infected. They exploit current search-term trends to help them achieve this.

One way to drive traffic to an infected site would be to propagate search terms that cause that site to show up near the top of Google’s rankings. If you can get a bunch of Scroogle users to do this search, you will get more traffic. Remember, the malware that hit Scroogle went on to fetch all links (except images) on the page from Scroogle that was produced by the malware. In our case, however, that page was an error page that merely had a link back to our search-box input page. Then it stopped and no real damage was done.

If the search term string had not been empty, it would have produced a bunch of links from Google’s results page. Since these links would be off-site for Scroogle, we would never notice the malware as it followed them. All Scroogle would see is a lot of searches for a relatively obscure search term from a lot of different IP addresses. (We monitor for this also and would have caught it within a day, but maybe the perps don’t know this. Or maybe they do, and thought they could stay under our radar by changing the search terms frequently.)

Perhaps the code that was designed to stuff the search terms into the Scroogle URL was a lot more complex than the rest of the code in the malware script. After all, why not make the malware flexible in this respect if this is at all possible? It could have been a coding error that caused Scroogle to see an empty search string.

A comment under that second USA TODAY article says that the scammers have set Explorer to “proxy server.” And a document from Microsoft says, “In WinHTTP 5.0, proxy servers are always trusted for auto-logon.” We don’t know what that means, but it sounds like trouble because of the user-agent we see from this malware.

This is merely circumstantial evidence, most of which came from a Scroogle user, but it’s the best theory we’ve seen so far.

Stay tuned.

(Cheers, RW)

Follow p2pnet on Twitter … ..

… and identi.ca

permanently retired – Google vs Scroogle: Round II, July 2, 2010

Use free p2pnet newsfeeds for your site. It`s really easy!

Subscribe to p2pnet.net | | rss feed: http://p2pnet.net/p2p.rss | | Mobile – http://p2pnet.net/index-wml.php

---

Net access blocked by government restrictions? Use Psiphon from the Citizen Lab at the University of Toronto. Go here for details.

This entry was posted on Monday, July 5th, 2010 at 9:49 am and is filed under P2P. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

HOME

Viewed 2810 times