Poisoned Google Image Searches Becoming a Problem

Orome1 writes "If you are a regular user of Google's image search, you might have noticed that poisoned search results have practically become a common occurrence. Google has, of course, noticed this and does its best to mark the offending links as such, but they still have trouble when it comes to cleaning up its image search results."

im glad im not the only one

[metalmaster]

I was looking up images for a VP shunt when I came across a few poisoned links. I got scared for a minute because just hovering over the image triggered the payload for one of them

Re:im glad im not the only one

[WrongSizeGlass]

To protect myself against these poisoned image search results I make sure I always use Lynx when I search for images.

Re:im glad im not the only one

[Nimey]

lynx + zgv was how I used to view images on the Web about ten years ago. It worked surprisingly well, back before AJAX or Flash were used for navigation.

Re:im glad im not the only one

[Rizimar]

I pretty fluent in JPEG myself, though I read the files in a hex editor. You get used to it. I...I don't even see the code. All I see is blonde, brunette, red-head.

Re:im glad im not the only one

Dread Pirate Google: All right. Where is the trojan? The battle of wits has begun. It ends when you decide and we both click, and find out who is right... and who is hacked.

Vizzini: But it's so simple. All I have to do is divine from what I know of you: are you the sort of man who would put the trojan into his own link or his enemy's? Now, a clever man would put the trojan into his own link, because he would know that only a great fool would click on what he was given. I am not a great fool, so I can clearly not choose the link in front of you. But you must have known I was not a great fool, you would have counted on it, so I can clearly not choose the link in front of me.

Dread Pirate Google: You've made your decision then?

Vizzini: Not remotely. Because Zeus comes from Eastern Europe, as everyone knows, and Eastern Europe is entirely peopled with criminals, and criminals are used to having people not trust them, as you are not trusted by me, so I can clearly not choose the link in front of you.

Dread Pirate Google: Truly, you have a dizzying intellect.

Vizzini: Wait till I get going! Where was I?

Dread Pirate Google: Eastern Europe.

Vizzini: Yes, Eastern Europe. And you must have suspected I would have known the trojan's origin, so I can clearly not choose the link in front of me.

Dread Pirate Google: You're just stalling now.

Vizzini: You'd like to think that, wouldn't you? You've beaten my firewall, which means you're exceptionally strong, so you could've put the trojan in your own link, trusting on your strength to save you, so I can clearly not choose the link in front of you. But, you've also bested my antivirus, which means you must have studied, and in studying you must have learned that root is hackable, so you would have put the trojan as far from yourself as possible, so I can clearly not choose the link in front of me.

Dread Pirate Google: You're trying to phish me into giving away something. It won't work.

Vizzini: It has worked! You've given everything away! I know where the trojan is!

Dread Pirate Google: Then make your choice.

Vizzini: I will, and I choose-- What in the world can that be?

Dread Pirate Google: What? Where? I don't see anything.

Vizzini:Well, I- I could have sworn I saw something. No matter.

Dread Pirate Google: What's so funny?

Vizzini: I'll tell you in a minute. First, let's click. Me on my link, and you on yours.

(They both click.)

Dread Pirate Google: You guessed wrong.

Vizzini: You only think I guessed wrong! That's what's so funny! I switched links when your back was turned! Ha ha! You fool! You fell victim to one of the classic blunders! The most famous is never get involved in a land war in Asia, but only slightly less well-known is this: never go in against a Sicilian when pwnage is on the line!! Ha ha ha ha ha ha ha!! Ha ha ha ha ha ha ha!! Ha ha ha--NO CARRIER

web 101: don't run unknown javascripts

From TFA: "it displays another script - this time it's a JavaScript one - that redirects the browser to another compromised site that serves malware."

By 2011, it should be considered "web 101" to not run javascripts unless you have a reason TO run them. Most people seem to just run any old javascripts by default, without having the first clue what it might be doing. There can't be much debate that it's a stupid course of action, given how many people's machines are jacked by exactly that attack vector (albeit possibly using another as well).

Yeah, yeah, I know, you need javascript for your bank. That's great: whitelist your damn bank. But run only javascripts on your *whitelist*, not any thing any random yahoo from a site you've never heard of before wants you to run. Would you treat your physical possessions that way? Would you let a drug gang in eastern europe borrow your car with your permission? If not, why would you allow them to use your computer?

I swear that the reason I haven't had a malware in my entire PC using history, and others seem to have them on a weekly or monthly basis, is because I don't completely shut off my brain once the words "... on the computer" appear in a sentence.

Re:web 101: don't run unknown javascripts

[Frosty+Piss]

By 2011, it should be considered "web 101" to not run javascripts unless you have a reason TO run them. Most people seem to just run any old javascripts by default...

This is not going to happen. Many major websites, many of the highest traffic websites involve hundreds of JS scripts to make a single page function. Web 2.0 and all...

The *average non-techie web surfer* is simply NOT going to turn off JS.

Will not happen... So, it's not realistic or productive to waste time discussing such an option.

Sad, but true.

Re:web 101: don't run unknown javascripts

[blindseer]

It's 2011, there should not be anything a Javascript can do that is harmful to your computer.

Re:web 101: don't run unknown javascripts

This is not going to happen. Many major websites, many of the highest traffic websites involve hundreds of JS scripts to make a single page function. Web 2.0 and all...

Ironic, given that Google recently (this month) just changed its behavior to practically require Javashit.

Old hotness: (1) Google "foo". (2) Click "Images" tab at top of screen for a GIS for "foo".

New and busted: (1) Google "foo". (2) Click "Images" tab at top of screen for... "Your search - foo - did not match any documents." (3) curse, click "Images" tab again - to go to http://www.google.com/imghp?hl=en&tab=ii, and (4) have to type "foo" again in order to GIS "foo". (Or remember to start at images.google.com, which is an issue when you might not be sure which terms to use when searching for the image in the first place)

Turn Javashit on, and clicking the tab works just fine... but whatever Google changed broke the non-Javashit version of GIS.

Sorta like last month - maps.google.com is an AJAX app, so it's reasonable for it to require Javascript. But it used to work fine without cookies enabled. Now, it requires both Javascript and cookies. Interesting.

Just tested/confirmed both of these on Firefox 3.6.16.

What Facebook does overtly, Google does by benign neglect and failure to regression-test. What's next? Google services simply stop working for Firefox and require Chrome?

Re:web 101: don't run unknown javascripts

[AsmordeanX]

I tried running with Javascript disabled. Five years ago you could get away with it. Now so many sites, especially with jQuery being so pervasive, simply don't work with JS disabled or you get an ugly broken thing.

I hear the claim, "Well you can run it on trusted sites". What has the site done to earn my trust? Why couldn't a malicious site appear interesting enough to prompt you to turn JS on and thus be attacked. Only a little social engineering can defeat NoScript. Whitelisted sites can become compromised as well.

Re:web 101: don't run unknown javascripts

[Frosty+Piss]

They will after their machine has to be taken into the shop again for maintenance due to being infected by drive-by exploits like this.

You might think, but there is a lot to suggest that what you suppose is not the case.

The fact is, the average non-techie user values "interactive" over "secure". Those in the business of servicing PCs on the consumer level will tell you this.

Re:web 101: don't run unknown javascripts

[93+Escort+Wagon]

Even if the defaults are reversed, what is grandma going to do, vet the JS code for every script that wants to run?

This is Slashdot - our posts are meant to demonstrate how 1337 we are, not an understanding of how the world actually works.

Re:web 101: don't run unknown javascripts

[93+Escort+Wagon]

It's 2011, there should not be anything a Javascript can do that is harmful to your computer.

It's 2011, where's my damn flying car?

It's held up in pre-production until they can fix a persistent Javascript bug.

screenshots

[cobbaut]

Two weeks ago I put some screenshots of what it looks like on my blog:
http://cobbaut.blogspot.com/

Violence is required

[erroneus]

The people who are doing this are criminals. They need to be stopped. It's as simple as that. Follow the money and beat the crap out of them until it stops.

a couple add ons that help

[d6]

I surf with requestpolicy and noscript up. It is utterly amazing the number of websites that can't render a page without firing scripts or loading content from 6, 8, 10 or more different domains.
If you haven't tried these, do it and be amazed at how many sites load without stylesheets, pictures etc. It's amazing how badly shit is implemented - zero thought about graceful degradation.

no script
requestpolicy

Mac is vulnerable too

[Teckla]

My wife got bitten by this just today.

She navigated to a web page from a Google search result, and Safari automatically downloaded some malware and executed it.

I didn't believe my wife's story at first, so I tried it. Sure enough, automatic download and execution on Mac/Safari.

What the fuck, Apple and Safari?

The only question that remains is whether I'll be moving her to Firefox or Chrome...

Re:Mac is vulnerable too

[slyborg]

Turn off "Open Safe files after downloading" in Safari Preferences. (-_-)
Chrome is definitely faster, but doesn't have NoScript and uses more RAM.

Re:Mac is vulnerable too

[Teckla]

It did not download and execute, it downloaded and opend the installer. Your wife would have had to go clicking through a an installer, and provided her admin credentials, in order to have installed/run something.

Sorry, I'm not a Mac expert. All I know is that it automatically downloaded something, and automatically executed something. I'm not technically knowledgeable enough about OS X to know that, even though we immediately exited the malware installer, that nothing bad could possibly have happened.

And I'm still not convinced the malware installer didn't do something bad before it popped up its first GUI window. I'm not accusing you of being a liar, but my wife uses her Mac to access our bank accounts and such. I have no choice but to nuke the site from orbit (reinstall OS X). I'd like to trust that because someone on the Internet said I'm safe and not to worry about it, that I can just plain not worry about it, but I just can't take that risk.

At the end of the day, Apple/Safari's amazingly fucked up defaults burned us good and hard. It'll take me days to fully reload and reconfigure her machine.

Thanks, Apple...

Re:Mac is vulnerable too

[Teckla]

What was the link? What was the malware?

I'm sorry to say I no longer have the link. I can tell you my wife was searching for something to the effect of "fairy wings" or "tinkerbell wings" with my young daughter, and that the link she ultimately clicked on was a .ms address. That might help you hunt down the same link, since this happened less than 8 hours ago.

What happened? I am assuming it downloaded an actual executable Mac application

I don't recall the exact thing it downloaded, but I recall it ended with .mpkg and was actually a directory I was able to navigate into using Terminal.

It automatically popped up some kind of installer for MacProtector, which is apparently malware (based on my Googling). I'm pretty good on Windows and Linux, but I know next to nothing about the Mac. I'm not aware of any really low level geekery details like "Mac installers are always 100% safe! Just cancel out of them!" or anything like that. I'm confident it didn't have root access, but even with just my wife's login credentials, my suspicion is that it could have done a lot of damage.

What *exactly* executed, and what was the result?

She clicked on a Google search result. The Downloads dialog box popped up. It downloaded something almost too quickly for the eye to see. Some kind of malware installer than displayed a GUI. It looked like the very first step of the installer. There was a Continue button.

I would be interested to know what malware got past, and what her settings in Safari were.

I'm sure her Safari settings were almost entirely set to their defaults. The Mac is supposed to be the "safe" computer. Or so we thought...

I'm sure the Slashdot crowd will come down hard on me over this. I fully expect my intelligence to be questioned and to be modded into oblivion. But really, I don't see how an average user should respond to this except to assume the worst and reinstall OS X.

And I really do blame Apple for setting absolutely bone headed defaults on Safari.

Re:Mac is vulnerable too

[techtech]

Safari / Mac OS X latest versions as 08.05.2011 CET As I happen to use the Google image search a lot, and open each image (from google results) in a tabs (collect them) and after that reviewing them. Today I searched for different architecture related things and managed to open this this FAKE AV page, a lot of times, differnt pages. And the file that is downloaded is "anti-malware.zip" [1,9 MB on disk (1 872 571 bytes)]. This file contain "MacProtector.mpkg." I am sure I do not have the default settings, because I review every programs settings before I am starting using it, as a common proceedure. I have the open secure files automatically option off, it was not opened. As far as I know Safari does not consider a zip a secure file, and there is not an automatic execution of mpkg inside a zip as standard?

Re:Mac is vulnerable too

[cathector]

i've been on osx for about two years, and just yesterday had my first malware experience,
which is pretty much identical to Teckla's: i was in safari and followed a GIS link for "blanket octopus"
and clicked on one of the pictures, and got a pop-up browser with some "security scan in progres.." BS dialog.
no big deal.
but then the OSX package installer opened up, trying to install some obvious malware .mpkg which had been downloaded to my desktop.
downloading a file without my permission is already a total security fail, imo, but running the installer on it is beyond bad.
obviously i nixed the installer and power-cycled and so far haven't noticed anything untoward, but it's scary.
the name of the .mpkg was "MacProtector.mpkg". unfortunately i rm -rf'd without making an archive of it.
- google shows a few hits for that. so, in short, yeah, Teckla's experience matches mine.

Re:Use an alternative search.

[Undead+Waffle]

Altavista, Ask and Bing have just been giving me more relevant search results lately.

Somewhat interestingly, and wildly offtopic, Altavista is powered by Yahoo, and Yahoo is powered by Bing, so you are really only using at most 2 search engines. (Ask also outsources to someone, but they don't say who, so it may very well be M!r0$0f+ as well).

And Microsoft copies Google's search results so in the end everyone is just using Google!