Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/21/2006
05:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

New Trojan Offers Google Update

A new Trojan poses as a Google toolbar update, but it's really a botnet trap

If you get an email from Google and follow its directions to update your toolbar, congratulations: You're now a bot.

The latest Google-related exploit, found by SurfControl, poses as a message from Google that takes users to a Website that's a replica of the popular search engine. Once you download the "update," however, you're "punk'd" by a Trojan into joining a spam botnet.

A bit of malformed code in the Trojan has kept it from spreading much, says Susan Larson, vice president of global threat analysis and research for SurfControl. The security company has seen just a handful of separate instances of the threat so far.

"We saw an executable that was malformed and wasn't operating properly," says Larson, who expects the Trojan to re-emerge in other iterations after the code is repaired. "And this code has been seen before."

Security experts say the clever look of this exploit may be new, but the attack mode is common. "This is simply a new variation of an old technique. Any semi-creative attacker is going to come up with a handful of new ways to do old things, like getting a bot installed on a PC," says Pete Lindstrom, research director for Spire Security. "We need to be catching this at the email gateway, not relying on any individual user."

This isn't the first time attackers have masqueraded as Google. Last year, a phishing email posing as a message from Google also offered toolbar updates via a link that loaded malware onto the user's system. Unlike the new bug, however, that exploit didn't direct the user to a fake Google Website, Larson says.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • SurfControl plc
  • Google (Nasdaq: GOOG)

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    44% of Security Threats Start in the Cloud
    Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
    Zero-Factor Authentication: Owning Our Data
    Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    6 Emerging Cyber Threats That Enterprises Face in 2020
    This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
    Flash Poll
    How Enterprises Are Developing and Maintaining Secure Applications
    How Enterprises Are Developing and Maintaining Secure Applications
    The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-8818
    PUBLISHED: 2020-02-25
    An issue was discovered in the CardGate Payments plugin through 2.0.30 for Magento 2. Lack of origin authentication in the IPN callback processing function in Controller/Payment/Callback.php allows an attacker to remotely replace critical plugin settings (merchant ID, secret key, etc.) and therefore...
    CVE-2020-8819
    PUBLISHED: 2020-02-25
    An issue was discovered in the CardGate Payments plugin through 3.1.15 for WooCommerce. Lack of origin authentication in the IPN callback processing function in cardgate/cardgate.php allows an attacker to remotely replace critical plugin settings (merchant ID, secret key, etc.) and therefore bypass ...
    CVE-2020-9385
    PUBLISHED: 2020-02-25
    A NULL Pointer Dereference exists in libzint in Zint 2.7.1 because multiple + characters are mishandled in add_on in upcean.c, when called from eanx in upcean.c during EAN barcode generation.
    CVE-2020-9382
    PUBLISHED: 2020-02-24
    An issue was discovered in the Widgets extension through 1.4.0 for MediaWiki. Improper title sanitization allowed for the execution of any wiki page as a widget (as defined by this extension) via MediaWiki's } parser function.
    CVE-2020-1938
    PUBLISHED: 2020-02-24
    When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that ...