Geeks guard against Google worm
Star Wars fans Web hunting for a downloadable game of the sci-fi flick are unknowingly infecting their computers with a worm that gives them rogue Google results authored by hackers.
Detected in the wild last week, the P2Load.A worm lies in wait in the free version of "Knights of the Old Republic II," and spreads through the peer-to-peer file sharing programs Shareaza and Imesh.
Security experts at Panda Software rate the potential damage of the infection at four stars, the highest level, based on the worm's two attacking features both enabled through modifying the HOSTS file on a user's computer.
This ensures that when downloaders try to open the Star Wars game, they actually run a command to modify their internet start page, replacing it with adverts, while they also spoof the identity of the most-widely used search engine, Google.
If users are presented with an on-screen error message explaining the game file does not exist, then the system is already infected, meaning that retyping the Google Web address, even with mistakes, will redirect the user to a spoof version of the search site.
This pops-up in exactly the same format as the legitimate Google site, supported by 17 specific languages but crucially, is authored by hackers and controlled from a server in Germany.
Even the most tech-savvy users could have difficulty spotting the rogue from the real, as initial results returned via the Google imposter "are shown correctly" or with "slight variations," Panda said.
However, the sponsored links on the Google spoof site, normally located at the top right of the page, have been tampered, effectively ousting legitimate pay-per-click companies for websites controlled, supported or financially linked to the worm's authors.
Clicking through to one of these phony portals potentially puts users at risk from other attacks like phishing, but lab experts studying the worm said the new P2LoadA was less malicious, more financially induced.
"The creator of this worm has taken advantage of the importance of a company appearing among the first few links in the search results of an Internet browser," said Luis Corrons, director of Panda.
"Its aims are none other than to increase visits to the pages linked by the creator of this malware or earn an income from companies that want to appear in the first few results in computer where the identity of Google has been spoofed: in both case, the motivation of the author of this malware is purely financial."
The company added that because the infection stemmed from the HOSTS file, the malware could be modified to imitate not just Google, but any other website or e-commerce giant that the authors decide. The aim would remain the same: to increase traffic to the author's websites.
In the future phishing attacks could also be introduced to support the worm's dual process of modification, Panda said, because P2LoadA operates without code.
The worm affects computers operating Windows 2003/XP/2000/NT/ME/98 running Firefox or Microsoft IE, yet its threat rate is "medium", given circulation is highest in the Netherlands, Germany and Italy.
Concerned PC users are reminded that up-to-date ant-virus should automatically delete the worm, after which its entry into the Windows Registry should be deleted, followed by restoring the HOSTS file, as well as start-page and search options for Internet Explorer.
Full details for 'prevention and cure' of the worm that spoofs Google is available through Panda's website.