Image search can lead to malware download

Published: 2011-04-23
Last Updated: 2011-04-23 04:59:23 UTC
by Manuel Humberto Santander Pelaez (Version: 1)
8 comment(s)

Reader Stephanie told us that during an image search of a Mussolini image in google found a site downloading malware. I decided to look into this issue further to see what I could find. Before starting, please be careful on what you do, as this page is still alive.

I clicked the image found in google. The following script was received from the host:

Evil Javascript loaded

The URL loads the following javascript, which is coded:

First part of evil script

Last part of script

After decoding, it rises an executable, MD5 ef42a441af5e5a250f18aeb089698c35. It does not perform any changes to the system, but it connects to 69.50.197.243 TCP port 8000 to further download for malware content.

Such attacks are common. How to minimize the risk of these attacks? We can summarize some controls:

  • Malware perimeter defense: You can use any malware product to test HTTP, FTP and any other protocol allowed for the inside users.
  • Please download files from well-known sites. If you need to download something from unknown sites, please take all measures to check and review the downloaded content before using it.
  • I tested noscript against this webpage and it was correctly blocked. I do not recall a similar control for Internet Explorer. Maybe one of our readers can recommend one?
  • Host IPS can protect the machine for buffer overflow or similar attacks triggered by exploits or malware.
  • And, of course, the Antivirus.

-- Manuel Humberto Santander Peláez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org

8 comment(s)

Comments

Confused - did you just load the page displaying the image or did u download it?
I thought this was common knowledge, this is exactly why I use OpenDNS to block all access to non-whitelisted '.info' TLDs (among others) as well as running FireFox with NoScript.
SEO poisoning - Google Image search...
- http://community.websense.com/blogs/securitylabs/archive/2011/04/21/presley-walker-google-image-search-results-poisoned.aspx
21 Apr 2011 (leads to "Neosploit"...)
.
BTW, it should be noted that blocking URLs does -not- block IP numeric addresses, so the OpenDNS blocklist should be utilized as a supplement, at best.
.
The nearest analog for NoScript in IE would be the Zones in the Internet Options > Security tab, which can be configured locally either by GUI or Local Group Policy, or by a domain policy. If you'd like to allow scripts (and/or Java and/or ActiveX) only on sites you explicitly approve, you'd add the desired sites to the Trusted Sites zone (after first setting the Trusted Zone's security baseline to something sensible like Medium-High). Disable the unwanted functionalities in the Internet Zone to suit your needs.

IE has had this capability since IE5, if I recall correctly.
I followed one of the image redirects, it often leads to sites in the cz.cc domain. You can check these site at urlquery.net, however you need to specify the referrer otherwise you will just get a redirect to the homepage.
This is a report with the referrer added:
http://www.urlquery.net/report.php?id=1357
infection vector's are Java and Acrobat Reader, best to keep those up to date ;)
I jsut found another one of these: http://antivirus-program-2011.ce.ms/fast-scan
It seems like when re-opening Firefox (after force-closing it through TaskManager, that it bypassed the "restore session choice" screen and it force-restored the session with this tab even active.

SB
Funny this is a recent diary. We just implemented NetWitness' solutions (don't work for them, I'm a security pro for large online company), and let me tell you, we have detected over 15 zero-day malware downloads/infections in just the past few days. About 10 of the 15 came from google image redirect downloads. The NetWitness solution allowed us to completley follow the TCP stream and present everything exactly how it went down. Virustotal had about 1 or 2 vendors detecting them as very generic malware at the time of submission.

Diary Archives