Malware "Nmap Conficker" links in Google

[Fyodor <fyodor () insecure org>]

For a while on Monday, the top links for an "nmap conficker" search on
Google were malware sites themselves!  I guess the scammers somehow
realized it was a popular search query and latched on.  Here are some
articles about the situation:

http://countermeasures.trendmicro.eu/poisoned-downadconficker-removal-searches/
http://www.theregister.co.uk/2009/03/31/conficker_search_scam/

I verified this on Monday afternoon when I saw people tweeting the
issue.  It is amazing how scummy some people can be!

Fortunately the top results are now pretty clean.  I don't know if it
is because Google kicked off the SEO scumbags or because there are so
many legitimate news stories that the booby-trapped links can't
compete for high rankings any more.

If there is any bright side to this sordid tale, it is that enough
people were searching for Nmap's Conficker detection that the scammers
bothered to hijack the term.  Thousands of people really did find Nmap
useful on Monday to help secure their networks from Conficker
infections!  That alone justifies all the last minute efforts and
late night several of us put in on Sunday to get it ready!

Cheers,
-F

PS: The list serve seems to have finally caught up with all the
traffic.  No more lag on nmap-dev!

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org