• Testversioner & Nedladdningar
  • För hemmet
  • För företaget
  • Malware Cleaner
  • Installationsprogramvara
• • Corporate
  • Norge
  • France
  • Deutschland
  • Sverige
  • Danmark
  • Suomi
  • Nederland
  • Schweiz
  • España
  • United States
  • United Kingdom
  • Italia
• Om Norman
  • Vision & Values
  • Styrelse
  • Vår teknologi
  • Utmärkelser och certifieringar
  • Referenskunder
  • Press
  • Evenemang
  • Rekrytering
  • Abonnera på nyheter
  • Kontakta Norman

Säkerhetscenter

Dangerous images

2011-05-13 [Exploit analysis, Malware discussion, Social engineering, Spreading mechanisms, Trends & predictions]

Introduction

One of the "truths" from the Internet's early days was that one could not be infected by malware by visiting web pages or clicking on images. Some truths, however, turn out to be untrue at a later point in time.

These days' malicious web pages are perhaps the most used attack vector, and this part of the history was rewritten years ago.

Recent weeks have also shown that images are used as a malware spreading technique; particularly images that appear after performing a Google image search. This will be discussed in this security article.

The technique used

Google image search

Google writes about images search on its official blog 20 July 2010:

When you think about “information,” what probably comes to mind are streams of words and numbers. Google’s pretty good at organizing these types of information, but consider all the things you can’t express with words: what does it look like in the middle of a sandstorm? What are some great examples of Art Nouveau architecture? Should I consider wedding cupcakes instead of a traditional cake?

This is why we built Google Images in 2001. We realized that for many searches, the best answer wasn’t text—it was an image or a set of images. The service has grown quite a bit since then. In 2001, we indexed around 250 million images. By 2005, we had indexed over 1 billion. And today, we have an index of over 10 billion images.

A search result for images associated with a particular topic may look like the one below:

Google image search for the world's most expensive pens
(Click image to enlarge)

Note that the images from the search above have not been checked. We have no reason to believe that they are compromised!

The infection techology

Search Engine Optimization (SEO) poisoning is the most common technique used in order to get "the malicious images" high on a result page from an image search. SANS Internet Storm Center has a good description on the cybercriminals' setup functions. The short version is like this:

1. Web sites are compromised and special scripts are inserted on the web pages.
2. Special pages are generated "on the fly" based on the search terms that are most popular at any point in time. These pages may include both text and images,
3. SEO poisoning techniques are used in order to get the results, including the images, from compromised pages high on the search results. Thumbnails from legitimate pages are shown together with the malicious.
4. Whenever a user clicks on a "poisoned image" from Google's image search result, the compromised page redirects to a web page that serves malware.

Currently most of the compromised web pages lead to fake antimalware. However, any types of malware may of course be distributed by using this technique.

Avoiding infection

Several stakeholders are involved in avoiding infections resulting from malware that uses this technique.

Google

Google has become quite good at identifying ordinary web pages that have been compromised, by displaying a This site may be compromised warning directly below the page title resulting from a search result.

We hope that Google introduces a similar technology in its image result system. As of now, Google blacklists the sites that auto-generated pages from compromised web sites refer to.

Webmasters

Webmasters should of course continue to ensure that their web site is secure. Security updates to operating systems and applications in use should be applied as soon as possible.

It is also wise to check for known attacks behavior to see if the web site may have been compromised. In the particular Google image search issue discussed here, certain scripts and web pages will be present on the web pages and the web site (see references below),

Individual users

There are several actions that individual users can perform in order to protect themselves from this Google images search scam.

• Disallow scripting in the browsers.
  This option will reduce the web surfing experience for most users. We believe that even though this will increase the safety considerably, it is probably not viable for most users.
• Install the Firefox add-on NoScript
  This option is an alternative for users of Mozilla's Firefox browser only. Noscript allows the user to decide which web resources that are allowed to runs scripts in the browser. NoScript is highly recommended and has been mentioned in several previous security articles from Norman.
• Do not click on thumbnail images from Google search results
  This should be fairly easy to accomplish. Although this precaution does not solve the underlying problem, it should accomplish the desired result.
• Use updates antimalware products
  An updated antimalware product will offer protection against malicious programs. Norman has antimalware products for end users and organizations. 

Selected references

• Down the RogueAV and Blackhat SEO rabbit hole part 1 (Internet Storm Center)
• Down the RogueAV and Blackhat SEO rabbit hole part 2 (Internet Storm Center)
• More on Google image poisoning (Internet Storm Center)
• Scammers Swap Google Images for Malware (KrebsonSecurity)
• Thousands of Hacked Sites Seriously Poison Google Image Search Results (Unmask Parasites blog)
  Detailed description on the technique used by the cybercriminals
• Imgaaa .net And Other Blacklisted Domains Used in Google Image Search Poisoning (Unmask Parasites blog)

 

• Privacy policy
• Licensavtal
• Trademarks
• Översikt
• Kontakta Norman

© Norman ASA