Hackers use Google Image Search for malware

Search giant Google's Image Search is now being used to distribute malware, with attackers using code injection to accomplish the job. Internet Storm Center researcher Bojan Zdrnja said that most of the attacks lead to sites offering fake antivirus programs. "For (the) last couple of weeks we received quite a bit of reports of images on Google leading to (usually) FakeAV web sites. Google is doing a relatively good job removing (or at least marking) links leading to malware in normal searches, however, Google’s image search seem to be plagued with malicious links," Zdrnja said in a blog post. He said that the attackers have been able to compromise legitimate web sites —usually Wordpress instllations— but can also exploit any widely spread software that has known vulnerabilities. Once the legitimate web sites have been exploited, the attackers plant their PHP scripts, which he said vary from simple to very advanced. Such scripts can automatically monitor Google trend queries and create artificial web pages containing information that is currently trending as being of popular interest, he said. "If you ever wondered how they had those web sites about Bin Laden up quickly it is because they automatically monitor the latest query trends and generate web pages with artificial content," he said. The compromised web sites contain not only text, but also images that are acquired from various websites. "Now, when a user searches for something through the Google image search function, thumbnails of pictures are displayed. Depending on the automatically generated content ... number of links to the web page and other parameters known to Google, the attacker’s page will be shown at a certain position in the results web page. The exploit happens when a user clicks on the thumbnail," he said. When a user clicks on the image in the compromised site, the browser will automatically send a request to the bad page, which runs the attacker’s script and redirects the browser to another site serving FakeAV. Zdrnja recommended the best protection, besides not clicking on images, is to install a Mozilla Firefox addon such as NoScript. "Google could step up a bit as well, especially since this has been going on for more than a month already and there are numerous complaints on Google’s forums about this. Since there are so many poisoned images they could maybe modify the screen that displays the results so it does not include the iframe – that will help in first step only, since if the user lands on the malicious web page there is nothing Google can do really," he said. A separate article on PC World said that Google could be serving as many as 15 million hits a month to these malicious pages. It added Google says it is aware of the problem, and is making an effort to detect malicious pages. But Google would not detail its plans for fear that attackers may adjust their methods to get around the company's efforts. It noted Google that added alerts to potentially hacked sites in December of last year, and Google's Chrome browser blocks potentially dangerous downloads. — TJD, GMA News