36

This video shows how somebody accidentally opens Goggle.com instead of Google.com. He gets flooded with pop-ups, SpySheriff or SpywareSTOP get installed automatically, and the computer user has no chance of closing the seemingly hundreds of pop-up windows:

The Wayback Machine, unfortunately, excludes Goggle.com, Goggle.net and Goggle.org for unknown reasons.

Did this crazy pop-up flooding malware actually exist in 2006?

Anders
  • 64,406
  • 24
  • 178
  • 215
neverMind9
  • 479
  • 1
  • 4
  • 7
  • 18
    Well typosquatting has existed since at least the early 1990s, probably earlier. – Chenmunka Jul 13 '18 at 13:02
  • 9
    First, this is not a "malware" but a typo squatting phish. Though the payload may download a malware. Second. `goggle` is simply a dictionary word. Third, wayback machine will try to remove most javascript to prevent dangerous redirect. Fourth : typo squatting phishing is an on going `business`. – mootmoot Jul 13 '18 at 13:41
  • Sometime domain registrar may delete or put the typo squatting domain into a blacklist sinkhole. By the way, malware researcher are never short of those sample, as long as you know how to create a honeypot to collect those stuff or exchange it within the researcher group. – mootmoot Jul 13 '18 at 14:46
  • 3
    Every day hundreds of spam sites are created *just for this*. They have already used things like `apple.com` but with a cyrillic `a` (which in practically all fonts looks indistinguishable to the human eye...). It has been used to trick developers to download malware infected opensource packages (both by typosquatting the repository domain or simply uploading a typosquatted package to the repository). – Bakuriu Jul 13 '18 at 20:55
  • 1
    [`whitehouse.gov`](https://en.wikipedia.org/wiki/Whitehouse.gov) vs. [`whitehouse.com`](https://en.wikipedia.org/wiki/Whitehouse.com), blah. – Nat Jul 13 '18 at 22:27
  • 2
    @neverMind9 The reason is because of the robots exclusion standard. The web archive has the questionable practice of retroactively removing a site from its archive if a _new_ site with the same domain excludes the bot from archiving it. So in other words, I can register an old, dead domain that was archived and create `/robots.txt` that excludes everything, and the archived version of the site will be censored. – forest Jul 14 '18 at 02:54
  • What is the Wayback Machine? – Evorlor Jul 15 '18 at 23:41
  • 4
    @Evorlor historical archive of many webpages at various points in time. https://web.archive.org. it's frickin _dope_ and saves me from 404 pages all the time. – strugee Jul 16 '18 at 02:52
  • Well, that's what NoScript plugins were mostly used for. – maio290 Jul 16 '18 at 07:36
  • @Forest No, it does not say “due to Robots.txt” but “this page has been excluded”, which means that **even if it is allowed by robots.txt, it is inaccessible.** – neverMind9 Jul 16 '18 at 19:18
  • 1
    @Evorlor On the Wayback Machine, you can see older revisions of webpages it crawled. – neverMind9 Jul 16 '18 at 19:18
  • 1
    @neverMind9 Oh interesting. Well that I don't have an explanation for. – forest Jul 16 '18 at 23:45
  • @strugee I agreed. But sometimes, there is Robots.txt and manual exclusion. – neverMind9 Jul 19 '18 at 13:05
  • https://www.youtube.com/watch?v=I6D-GSdLtNo Video statistics: Doubled view counts due to this question. – neverMind9 Aug 02 '18 at 20:54
  • The selection criteria for the Wayback Machine are such that sites which never attracted significant links from other sites are unlikely to be included. – tripleee Feb 05 '20 at 10:48

1 Answers1

76

Let me summarise what you are seeing:

  • someone navigates to a typo-squat site (goggle.com)
  • the browser is then flooded with numerous pop-ups, warning windows, etc.
  • eventually, the anti-virus starts to detect malware
  • the machine crashes

It is difficult to think that there are young technology professionals now for whom that sequence is new and strange. For those of us browsing the Internet in 2006, this was a reality. I experienced this, myself, more times than I could count.

To answer your question, this was neither crazy nor limited to this one site.

The malicious (or hacked) website was coded to flood the user with ads and legitimate-looking Windows warning windows. When the user tried to close the windows, dozens more sprouted until the machine crashed. For many people, events like this are what got them familiar with the Windows Task Manager, which was the only way to prevent a total machine meltdown.

The warning windows were, in fact, browser windows, and when you interacted with them, it translated the user's click into an "OK" for installing something. That's how the viruses got installed.

So, these little gems crashed your machine (causing a reboot) and installed all manner of viruses. It was sometimes impossible to remove them without "nuking from orbit".

Many layers of security now exist in browsers to prevent that type of problem (although the attackers continue to evolve). Pop-up blockers, now standard, was the first thing to be used on the browser side. UAC was one of Windows first attempts to block this sort of application behavior from the OS.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • 49
    Thank you for making my day complete by making me feel very old ... Was 2006 and all this stuff 12 years ago?? – schroeder Jul 13 '18 at 13:43
  • Where can I get this kind of pop-up malware for experimentations today? – neverMind9 Jul 13 '18 at 14:25
  • 1
    @neverMind9 i could think about any pron site. But the Problem, you must use a very outdated Browser and maybe OS to see them nowadays – Serverfrog Jul 13 '18 at 14:32
  • 6
    It's not malware but HTML code. Look for "pop-up ads" https://en.wikipedia.org/wiki/Pop-up_ad and https://en.wikipedia.org/wiki/Adware – schroeder Jul 13 '18 at 14:32
  • 32
    This is also partially the source of the pop-culture representation of "getting a virus" being a million popups appearing everywhere. I think that even this aspect may be aging out since I seem to remember more pop culture references for ransomware than popup floods recently (though I can't think of specific examples) – Tophandour Jul 13 '18 at 14:33
  • 5
    I never got that stuff, maybe because I could tell it was browser windows. – Joshua Jul 13 '18 at 19:12
  • 2
    The real issue would occur with frameless browser windows. Was such kind of oversight available in 2006? I wouldn't be surprised. – John Dvorak Jul 13 '18 at 21:04
  • 8
    @JohnDvorak Back then we had a lot more trust of programmers... Microsoft, at one point, tied Windows Update to their browsers via something called ActiveX, which lets people format computers via a webpage. It's pretty crazy. – Nelson Jul 14 '18 at 02:25
  • @Nelson Which webpage does format my HDD? – neverMind9 Jul 16 '18 at 21:25