Google Code Discovered Serving Malware

Author: Paul Roberts
minute read

Google has removed malicious programs from its Google Code platform after Web firm zScaler said the company’s servers were being used to serve malicious code.

Google has removed malicious programs from its Google Code platform after Web firm zScaler said the company’s servers were being used to serve malicious code.

HED: Google serving up malware from Google Code project, firm alleges
DEK: Web firm zScaler says that Google’s CODE platform is being used to host and serve malicious code. 
With its size and breadth, Google’s finding it harder than ever to live up to its founders pledge to “not be evil” – or at least to not aid those who are bent on being evil. 
The latest example comes from Web security firm zScaler, which reported on its research blog Wednesday that it had discovered malicious programs being hosted and served from the Google Code Web site. A Google spokesman said that the company has removed the project hosting the malicious programs for violating its terms of service. 
“”Google actively works to protect our users from malware. Using Google Code, or any of our products, for distribution or coordination of malware is a violation of our product policies, and we will remove any projects discovered to be used for these purposes.”
The warning came after ZScaler researcher Umesh Wanve wrote that the company’s Web crawling technology discovered malware including malicious downloader programs, Trojan horses, backdoor programs and password stealing keylogging programs that target massively multiplayer online games like World of Warcraft. The malicious programs were believed to be of Chinese origin, and many were undetectable by standard anti virus programs. Of those that were detectable, researchers noted a downloader program identified as Agent-IUW or  Thed.B. (http://research.zscaler.com/2010/09/google-code-hosting-website-used-to.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+zscaler/research+(Zscaler+Research)). One of the downloader programs was found to download other malicious components, also from the Google Code site. 
Launched in 2005, Google COde (http://code.google.com/) is a free, Web based platform that provides tools and resources to developers (https://threatpost.com/google-releases-web-app-security-course-050410/) interested in working on Google-related open source software projects or projects that leverage Google services. The company provides source code as well as tools such as APIs (Application Program Interfaces) for developer to use. The site is loosely managed and free – creating an ideal environment for malicious actors. Google claims it does scan the site for malicious programs and removes them when they are found. It is unclear how long the latest files have been hosted, but zScaler claims one executable dates to late June, 2010, creating the possibility that Google may have been hosting some or all of the malware for over two months. 
This isn’t the first time that Google CODE has been found hosting malicious code. Anti malware vendor McAfee discovered malicious programs on the site in early 2009. (http://news.cnet.com/8301-1009_3-10139410-83.html) 

With its size and breadth, Google’s finding it harder than ever these days to live up to its founders pledge to “not be evil” – or, at least, not to aid those who are bent on being evil. 

The latest example comes from Web security firm zScaler, which reported on its research blog Wednesday that it had discovered malicious programs being hosted and served from the Google Code Web site. A Google spokesman said that the company has removed the project hosting the malicious programs for violating its terms of service. 

The response came after a warning from ZScaler researcher Umesh Wanve, who wrote on the zScaler research blog that the company’s Web crawling technology discovered malware including malicious downloader programs, Trojan horses, backdoor programs and password stealing key logging programs that target massively multi player online games like World of Warcraft. The malicious programs were undetectable by standard anti virus programs. Of those that were detectable, researchers noted a downloader program identified as Agent-IUW or  Thed.B. One of the downloader programs was found to pull other components, also from the Google Code site. 

Launched in 2005, Google Code is a free, Web based platform that provides tools and resources to developers interested in working on Google-related open source software projects or projects that leverage Google services. The company provides source code as well as tools such as APIs (Application Program Interfaces) for developer to use. The site is loosely managed and free – creating an ideal environment for malicious actors. Google claims it does scan the site for malicious programs and removes them when they are found.

“Google actively works to
protect our users from malware. Using Google Code, or any of our products, for
distribution or coordination of malware is a violation of our product policies,
and we will remove any projects discovered to be used for these purposes,” a Google spokesman responded in an e-mail message to Threatpost.com. 

It is unclear how long the latest files have been hosted, but zScaler claims one executable dates to late June, 2010, creating the possibility that Google may have been hosting some or all of the malware for over two months. Google has not yet responded to questions about how long the malware was hosted on its servers.

This isn’t the first time that Google Code has been found hosting malicious code. Anti malware vendor McAfee discovered malicious programs on the site in early 2009.  

Suggested articles

Discussion

  • Analyzer on

    Last year (2009) I experienced a bug of some type that was not found by KIS2009, and basically necessitated the reformatting of two computers - after it was scrubbed by multiple antivirus software packages.  I have stopped all game players from using any PC I have on the net.  This is probably an extreme paranoid reaction, since the infections can come from the social networking sites (which I avoid, but my wife does not).  I have found no perfect firewall, but KIS2010 has been very effective since my last, expensive experience.  I have learned to keep important data off-line as much as possible as well as paying attention to backup and recovery procedures.  I am alarmed at the extent of potential attacks and damage that can be inflicted on society in general.  The most anyone could get from me is rather mundane research and contacts that are not too important, but I hate to be a victim.  I also dislike the necessity of spending so much time and money to stop malicious activities.

  • Anonymous on

    I don't let game players or any OTHER idiots touch my box. I use it for COMPUTING. None of this stuff was a problem until the internet became infested with idiots who wear their hats sideways.

  • Anonymous on

    Funny how you like to state that game players are idiots, these game players are a lot of the people who are smart enough to write the malware and viruses that get into your computer. And this 'problem' with malware has been around for years, its not the ones with the sideways hats you want to worry about, its the blackhats ;)

  • Keiichi25 on

    Something to note, however, it is not necessarily gamers who are the problem children for computers. In the past 20 years of a computer user and being a gamer... I have ran into a total of... 3 virus/malware. Of the times I have been hit by malware, all three were related to just doing web browsing or leaving a web browser open and getting hit by an compromised website ad server. One of which was just trying to find information, of all things, a map of the current fire situation in my area. Please note, the problem is not limited to 'gamers'. I have actually dealt with users who, by far, are not gamers. They are ordinary people looking for various things, and not all of it is games or porno, but sports information, music, or falling for the old ploy of "Message from a friend." The real problem these days is the apathy of the normal, everyday computer user. Treating the computer like it was a refrigerator or Television set or worse yet, from my old Calculus days, getting it referred to as a more advanced calculator. When people consider the computer nothing more than a simple device, they fail to take into consideration how that device has much more going for it and can bring in all sorts of problems simply because the user doesn't know any better. And in the end, the blaise faire remarks of 'gamers' being the 'idiots' doing this will not be so when your 50+ year old relative who knows NOTHING about computer games, has the same problem or your Under 14 year old kid that you didn't watch over while they were on the computer, suddenly has weird crap on your machine, all because they went to some site they wanted to go to and it had NOTHING to do with computer games or porn. People have to wake up to the fact that while games are one of the reasons people get viruses, there are other places to get viruses or malware that will have NOTHING to do with games. And just remember, Facebook, Myspace, Twitter, and social networks have been targeted as well as games.

  • Thomas on

    That's a well written response keiichi25. Thanks for being one who sees the forest rather than picking out a single tree; it shows an open and logcal mind. I wish it COULD BE just one area, but unfortunately that's far from reality.

  • keta khan on

    I am represented about e-banking?

    Electronic commerce or e-commerce consists of baying, selling, and marketing of products or services over computer networks.

    http://terataionline.blogspot.com/2011/09/how-can-used-e-commerce-services.html

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.

Subscribe now

Topics

Show all

Authors

Threatpost

InfoSec Insider

Infosec Insider Post

Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Content

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.