Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Google Toolbar Scam Exposed

  • Please log in to reply
1 reply to this topic

#1 TeMerc


    Countermeasures Team Leader

  • Malware Response Team
  • 215 posts
  • Location:PHX., AZ.
  • Local time:07:53 PM

Posted 05 October 2005 - 01:05 PM

This was first blogged about by Chris Boyd, aka Paperghost:

They whacked Google!

Well, here's a new one on me - Roger Karlsson has dug out a site that installs - can you believe it? - the Google Toolbar without consent, along with some other things. Check out how many Google domains it redirects - someone has it in for the Big G. A little digging of my own has found a link to some of the typical .biz hijack websites - more shocking is the flagrant way that the people behind this are trying to pass themselves of as being affiliated with Google in some official kind of capacity - when nothing could be further from the truth. Check out these screenshots (click to enlarge, so on and so forth)...

Full Read @ Vitalsecurity.org

Shortly after, Sunbelt blogged it:

The criminal element tries to steal from Google
There’s been discussion going around about among elite antispyware security forces about Google’s Toolbar being “whacked”. 

What’s happening is that some criminal gang out there is installing a hacked version of the Google Toolbar via stealth on a relatively small number of systems.  Ostensibly, this is to give them the aura of legitimacy for their own nefarious means (for example, getting people to think they’re using Google, when in fact, they’re using something else).

The important question is: Why is this different than stealth installs by adware companies? 

Why is this an important question?  Because adware/spyware companies will inevitably point to this install as being something that makes them innocent of stealth installs that occur from their own affiliates and distributors (“you see, it’s even happened to Google, we’re all the victims of rogue distributors”, etc.).  In fact, we’ve already had one adware company approach us on this issue.

Full Read @ Sunbelt blog

Now, comes the real breakdown and detailed analysis from SpywareGuide and Chris:

The Rogue Google Toolbar: History and Variants
by Christopher Boyd, Security Research Manager, FaceTime Security Labs


There is currently a browser hijacker in circulation which installs a fake Google Toolbar, hijacking the HOSTS file to redirect most Google domains and placing a homepage hijacker in the Temporary Internet Files folder, from which an Internet Explorer based search engine claims to be powered by Google. The bundle also includes a rogue antispyware tool, called “World Antispy”.

However – this attack, viewed out of context, does not build up a sufficient picture of the tactics / techniques used by the group responsible for the install. A press release by Panda Antivirus has covered the main features of this install here, and they had previously discovered an earlier version of this hijacker in April. Sunbelt Software also found a variant some weeks ago. But the group behind this has actually been trying to exploit Google since 2003.

Through systematic research, Facetime Security Labs have found that there are three distinct versions of this attack, each one exploiting different security vulnerabilities and installing a different payload. Here is a HJT log from September 14th, 2003. Note the Google HOSTS file hijack. Here is a discussion thread that contains the same HOSTS file hijack, from even further back – July 9th, 2003. Finally, here is one more discussion of this infection technique from September 26th, 2003.

Full Read @ SpywareGuide

Related Article @ SpywareGuide

Edited by TeMerc, 05 October 2005 - 01:36 PM.

Posted Image
Calendar of Updates
Malware Advisor Blog
HijackThis! Trusted Advisor
Ultimate Countermeasures Page
TeMerc Internet Countermeasures
Remember, you can NEVER be OVERPROTECTED!!!
Proud Member of the Alliance of Security Analysis Professionals
Posted Image

BC AdBot (Login to Remove)


#2 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,889 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:53 PM

Posted 07 October 2005 - 07:57 AM

Phishers Plant Fake Google Toolbar
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users