Google Image Poisoning and FakeAV attacks
FYI on Google Image Poisoning.... which is the general cause for the FakeAV popups that so many people have issues with.
These FakeAV programs are rather tricky, in that they're not easily classified, and they never work the same. Therefore, your various AV/Spyware/Malware scanners might not think that it's malicious behavior at the time of infection.
The FakeAV attacks seem to come in 3 flavors of increasing complexity:
1) "The Nag". Terminate the process and delete the file. Doesn't care that you run other programs.
2) "The Pain in the Ass". Doesn't let you run any exe because it latches into the .exe file registry keys. We have an inf that reverts the registry change, then we terminate and delete the exe.
3) "The Real Pain in the Ass". Does the same as number two, but has the additional side effect of fudging permissions all over the system. It screws them up so bad that you can't run any of your applications anymore. When computers get these, we usually just reimage them. But they can be salvaged if it's worth a bit of work to you.
If you've experienced these, here's why you got it, and here's how to prevent it in the future.
Full article:
http://isc.sans.edu/diary/More+on+Go...oisoning/10822
Another very In-depth article with additional info:
http://blog.unmaskparasites.com/2011...earch-results/
Quote:
For last couple of weeks we received quite a bit of reports of images on Google leading to (usually) FakeAV web sites.
Google is doing a relatively good job removing (or at least marking) links leading to malware in normal searches, however, Google’s image search seem to be plagued with malicious links. So how do they do this?
The attackers compromise a number of legitimate web sites. I have noticed that they usually attack Wordpress installations, but any widely spread software that has known vulnerabilities can be exploited.
.
.
.
.
.
Now, when a user searches for something through the Google image search function, thumbnails of pictures are displayed. Depending on the automatically generated content in step 3), number of links to the web page and other parameters known to Google, the attacker’s page will be shown at a certain position in the results web page. The exploit happens when a user clicks on the thumbnail.
Google now shows a special page that shows the thumbnail in the center of the page, links to the original image (no matter where it is located) on the right and the original web site (the one that contained the image) in the background. This is where the “vulnerability” is.
The user’s browser will automatically send a request to the bad page which runs the attacker’s script (the one set in step 1). This script checks that the request’s referrer field and if it contains Google (meaning this was a click on the results page in Google), the script displays a small JavaScript script.
This causes the browser to be redirected to another site that is serving FakeAV.
As we can see, the whole story behind this is relatively simple (for the attackers). There is a number of things to do here to protect against this attack, depending if we are looking at servers or clients. For a standard user, the best protection (besides not clicking on images) is to install a Mozilla Firefox addon such as NoScript. Google could step up a bit as well, especially since this has been going on for more than a month already and there are numerous complaints on Google’s forums about this. Since there are so many poisoned images they could maybe modify the screen that displays the results so it does not include the iframe – that will help in first step only, since if the user lands on the malicious web page there is nothing Google can do really.
|
Here's the link to
NoScript. The thing about NoScript though, is that it can be overkill in many situations, and requires you to fine tune it or add exceptions to make some of your normal websites function properly. This normally just consists of navigating to your trusted websites and telling NoScript to allow an exception for that site. But for some people, I imagine it could be confusing. If you have any questions about it, post em in here....