Poisoned Google Image Searches Becoming a Problem

Orome1 writes "If you are a regular user of Google's image search, you might have noticed that poisoned search results have practically become a common occurrence. Google has, of course, noticed this and does its best to mark the offending links as such, but they still have trouble when it comes to cleaning up its image search results."

im glad im not the only one

[metalmaster]

I was looking up images for a VP shunt when I came across a few poisoned links. I got scared for a minute because just hovering over the image triggered the payload for one of them

Re:im glad im not the only one

[Nimey]

lynx + zgv was how I used to view images on the Web about ten years ago. It worked surprisingly well, back before AJAX or Flash were used for navigation.

screenshots

[cobbaut]

Two weeks ago I put some screenshots of what it looks like on my blog:
http://cobbaut.blogspot.com/

Re:web 101: don't run unknown javascripts

As a professional web developer, we often write code that expects Javascript to work on our sites, because noone ever turns it off. We have some very high traffic sites, and outside of web crawlers, I don't believe we've seen it blocked, ever.

Re:web 101: don't run unknown javascripts

This is not going to happen. Many major websites, many of the highest traffic websites involve hundreds of JS scripts to make a single page function. Web 2.0 and all...

Ironic, given that Google recently (this month) just changed its behavior to practically require Javashit.

Old hotness: (1) Google "foo". (2) Click "Images" tab at top of screen for a GIS for "foo".

New and busted: (1) Google "foo". (2) Click "Images" tab at top of screen for... "Your search - foo - did not match any documents." (3) curse, click "Images" tab again - to go to http://www.google.com/imghp?hl=en&tab=ii, and (4) have to type "foo" again in order to GIS "foo". (Or remember to start at images.google.com, which is an issue when you might not be sure which terms to use when searching for the image in the first place)

Turn Javashit on, and clicking the tab works just fine... but whatever Google changed broke the non-Javashit version of GIS.

Sorta like last month - maps.google.com is an AJAX app, so it's reasonable for it to require Javascript. But it used to work fine without cookies enabled. Now, it requires both Javascript and cookies. Interesting.

Just tested/confirmed both of these on Firefox 3.6.16.

What Facebook does overtly, Google does by benign neglect and failure to regression-test. What's next? Google services simply stop working for Firefox and require Chrome?

Mac is vulnerable too

[Teckla]

My wife got bitten by this just today.

She navigated to a web page from a Google search result, and Safari automatically downloaded some malware and executed it.

I didn't believe my wife's story at first, so I tried it. Sure enough, automatic download and execution on Mac/Safari.

What the fuck, Apple and Safari?

The only question that remains is whether I'll be moving her to Firefox or Chrome...

Re:Mac is vulnerable too

[larkost]

It did not download and execute, it downloaded and opend the installer. Your wife would have had to go clicking through a an installer, and provided her admin credentials, in order to have installed/run something.

While this is bad behavior, and will probably finally convince Apple that .pkg should not be on the list of auto-launched items, this is also not the "sky is falling" situation that your post makes it out to be.

Re:Mac is vulnerable too

[slyborg]

Turn off "Open Safe files after downloading" in Safari Preferences. (-_-)
Chrome is definitely faster, but doesn't have NoScript and uses more RAM.

Re:Mac is vulnerable too

[Teckla]

What was the link? What was the malware?

I'm sorry to say I no longer have the link. I can tell you my wife was searching for something to the effect of "fairy wings" or "tinkerbell wings" with my young daughter, and that the link she ultimately clicked on was a .ms address. That might help you hunt down the same link, since this happened less than 8 hours ago.

What happened? I am assuming it downloaded an actual executable Mac application

I don't recall the exact thing it downloaded, but I recall it ended with .mpkg and was actually a directory I was able to navigate into using Terminal.

It automatically popped up some kind of installer for MacProtector, which is apparently malware (based on my Googling). I'm pretty good on Windows and Linux, but I know next to nothing about the Mac. I'm not aware of any really low level geekery details like "Mac installers are always 100% safe! Just cancel out of them!" or anything like that. I'm confident it didn't have root access, but even with just my wife's login credentials, my suspicion is that it could have done a lot of damage.

What *exactly* executed, and what was the result?

She clicked on a Google search result. The Downloads dialog box popped up. It downloaded something almost too quickly for the eye to see. Some kind of malware installer than displayed a GUI. It looked like the very first step of the installer. There was a Continue button.

I would be interested to know what malware got past, and what her settings in Safari were.

I'm sure her Safari settings were almost entirely set to their defaults. The Mac is supposed to be the "safe" computer. Or so we thought...

I'm sure the Slashdot crowd will come down hard on me over this. I fully expect my intelligence to be questioned and to be modded into oblivion. But really, I don't see how an average user should respond to this except to assume the worst and reinstall OS X.

And I really do blame Apple for setting absolutely bone headed defaults on Safari.

Re:Mac is vulnerable too

[techtech]

Safari / Mac OS X latest versions as 08.05.2011 CET As I happen to use the Google image search a lot, and open each image (from google results) in a tabs (collect them) and after that reviewing them. Today I searched for different architecture related things and managed to open this this FAKE AV page, a lot of times, differnt pages. And the file that is downloaded is "anti-malware.zip" [1,9 MB on disk (1 872 571 bytes)]. This file contain "MacProtector.mpkg." I am sure I do not have the default settings, because I review every programs settings before I am starting using it, as a common proceedure. I have the open secure files automatically option off, it was not opened. As far as I know Safari does not consider a zip a secure file, and there is not an automatic execution of mpkg inside a zip as standard?

Re:web 101: don't run unknown javascripts

Firefox + FlashBlock + NoScript

What's the point? NoScript is FlashBlock and then some.

Re:web 101: don't run unknown javascripts

[Tacvek]

The trouble is that you likely get a substantially degraded experience on some sites. Many well developed sites use AJAX to speed up navigation[1], falling back on a full request when JavaScript is disabled. Similarly many sites implement convince features like jquery-based auto-completion which help make the site easier/faster to use, but again the site continues to function even with JavaScript turned off. You likely never even realize that you are getting a degraded experience because the site did not completely break.

That is a large part of the reason I actively do not recommend NoScript or similar solutions, favoring blacklisting known bothersome scripts, and using sadboxes and equivalent to guard against the unknown.

[1] You only need to download the changed portion, and browsers can update a page in place faster than re-rendering the whole page.