Loads of infected results in Google Images lately

RussJK

I've noticed in the last few weeks that all the top results in Google images for most of my searches are coming from infected sites, much more than usual.

These articles suggests it's not just me noticing this and that it's significant:
http://www.cio.com/article/681679/Attackers_Use_Google_Image_Search_to_Distribute_Malware
http://krebsonsecurity.com/2011/05/scammers-swap-google-images-for-malware/

Criminals are using Google Trends to find the top search results, then make fake pages based on those top search results to draw people onto sites that install malware. An old trick, but the scale is greater.

If you are a Windows user and only have an antivirus and nothing else, then the chances are you are vulnerable to this.

I'm not actually seeing the infected sites or any of the fake warnings - they are all being blocked before it gets to that stage.

• ClearCloudDNS blocks most of the malware sites (http://www.clearclouddns.com/). Similar services include NortonDNS & ComodoDNS.
• A HOSTS file block and Malwarebytes realtime guard seem to catch the rest (http://winhelp2002.mvps.org/hosts.htm). I use Hostsman to combine MVPS with MalwareDomainList
• With Noscript in Firefox you'd be protected from these if you can stand using it
• Using Adblock with Easy List & the Malware Domain subscription may also help (http://adblockplus.org/en/subscriptions).
• Lastly, using browsing under a sandbox like Sandboxie will prevent an infection from reaching the rest of the system (http://www.sandboxie.com/). You can set Sandboxie to automatically allow permanent changes to bookmarks and history, but use with caution.

asbokid

It's possible to carefully forge an image so as to cause a buffer overflow condition in the image rendering library.

Exploits can be found for Windows, Mac and Linux, and for a range of image types including JPEG, GIF, TIFF, etc..

There was a very recent security update to the TIFF rendering library for Linux.

http://packetstormsecurity.org/files/view/100046/USN-1102-1.txt

It's pathetic really that these image rendering libraries have been around for over a decade and only now has anyone noticed that they are vulnerable to malicious attack.

stilltheone

RussJK wrote: »

I've noticed in the last few weeks that all the top results in Google images for most of my searches are coming from infected sites, much more than usual. I suspect that many won't be noticing the problem as they might not have as many layers of security on board.

This article suggests it's not just me noticing this:
http://www.cio.com/article/681679/Attackers_Use_Google_Image_Search_to_Distribute_Malware

For me they are mostly they are being blocked by ClearCloudDNS, which is an alternative DNS designed to act as a webfilter for malware (https://www.clearcloudDNS). Similar services include NortonDNS & ComodoDNS.

The rest are coming up blank either because of my hosts file block (MVPS mixed with MalwareDomainList) or due to Malwarebytes realtime guard.
http://winhelp2002.mvps.org/hosts.txt
http://www.malwaredomainlist.com/hostslist/hosts.txt
use Hostsman to combine them: http://www.abelhadigital.com/hostsman

With Noscript in Firefox you'd be protected from these if you can stand using it

Other alternatives include browsing under Sandboxie, and using Adblock with Easy List & the Malware Domain subscription (http://adblockplus.org/en/subscriptions).

Noticed it too. Again the HOSTS file combined with Malwarebytes Pro have blocked access.

somersethillbilly

RussJK wrote: »

With Noscript in Firefox you'd be protected from these if you can stand using it

Never had any problems with Noscript, although it does take a bit of getting used to , but worth the bother for the protection. Also agree with using Adblock Plus (Easylist & Malware Domains)

Thanks for the "Heads Up".

RussJK

asbokid wrote: »

It's possible to carefully forge an image so as to cause a buffer overflow condition in the image rendering library. Exploits can be found for Windows, Mac and Linux, and for a range of image types including JPEG, GIF, TIFF, etc..

Do you know of anywhere you could safely test vulnerability to this exploit? Has it been seen in the wild? Also, would EMET2 help mitigate it until a patch is found? Not much of a web if it's text only

AFAIK the current spate of google image malware is just the standard honeypot method, using the real popular images just to draw people to the site, where a script is launched to try to install malware. Would have to hope that google would notice if thumbnail images they hosted caused a buffer overflow.

free4440273

not experiencing any issues here -- either in Opera 11 or FF/ but like u said Russ, depends on levels of security sensitivity perhaps ....

The_Grandmaster

Seen it a few times too - you're talking about: 'you have malware on your computer - initiating scan with a bar on the screen - and various 'malware detections' right?

How long does one have from entering said site to getting the malware? Malwarebytes/avira shows no infection... Although I do close off the browser immediately if that turns up...

spakkker

As above, from google images - I just use firewall to cut connection and run ccleaner then malwarebytes.

RussJK

The_Grandmaster wrote: »

Seen it a few times too - you're talking about: 'you have malware on your computer - initiating scan with a bar on the screen - and various 'malware detections' right? How long does one have from entering said site to getting the malware? Malwarebytes/avira shows no infection... Although I do close off the browser immediately if that turns up...

I haven't actually gotten any of the fake browser warnings in a long time, it's just that far more sites from google images are being blocked than normal - and the domain names are dodgy sounding, randomised strings and often end in .CC. No need to look them up in URLVoid, WOT, etc to realise that they're dodgy...

Most take a lot of user cooperation to install malware, but admittedly I don't know a lot about the kinds of exploits that don't. I just try to avoid them with passive protections.

You could make sure Avira is set with the threat categories to block most things, particularly fraudulent software like this (http://www.users.on.net/~russ/avirathreatcategories.png). If you're concerned, temporarily install Prevx for a scan or have it monitor for a few days, then uninstall it.

asbokid

RussJK wrote: »

Do you know of anywhere you could safely test vulnerability to this exploit? Has it been seen in the wild?

I've never heard of anywhere that you can test images for malicious code, no.

But there are loads of examples of malicious images in the wild. The exploits are usually stack-based buffer overflow attacks that allow the execution of arbitrary code.. That is usually shellcode to open a networked backdoor into the machine. There are exploits for most image types.. jpeg, png, tiff, etc., and for most platforms.

We played with one image exploit for Windows. You just emailed a crafted image to someone, and so long as they were using Outlook, it bound a shell to a network port. The image didn't even need to be opened, the display of a thumbnail was enough. That was around 2005. There was an easy to use proof-of-concept. You fed it a normal jpeg image - any sort of image that would entice, e.g. !!!!!! - and the malicious exploit inserted the shellcode into the image. And then you emailed that image to someone.

Also, would EMET2 help mitigate it until a patch is found? Not much of a web if it's text only

I don't really use Windows, so this is the first I've heard of EMET. From a brief look at the user guide at http://blogs.technet.com/cfs-file.ashx/__key/communityserver-components-postattachments/00-03-35-03-78/Users-Guide.pdf , it seems to offer several mitigation techniques.

I'm no expert by any means, but some of the techniques in EMET are quite old, but aren't used routinely because they cause a significant performance degradation. For example, if you monitor the stack in real-time for corruption, through the use of stack canaries or whatever, there are huge overheads involved.

AFAIK the current spate of google image malware is just the standard honeypot method, using the real popular images just to draw people to the site, where a script is launched to try to install malware. Would have to hope that google would notice if thumbnail images they hosted caused a buffer overflow.

Why are you particularly concerned about google? At a guess, I doubt that Google currently vets images before inclusion in its images.google.com search results. I guess there are too many different exploits, and minor modification to the shellcode would probably foil any rudimentary signature-based detection.

The_Grandmaster

Not worried at all actually as I trust malwarebytes or avira to have found the infection from someone else's computer first!

All the boxes in avira (and malwarebytes) have been ticked for a long time.