Google Image Search malware – the unseen threat

Google Image Search is one attack vector the malware writers are focussing their attentions right now. It’s the unseen threat (no pun intended :)) right now. Have you ever clicked on an image in Google search without checking whether the image/thumbnail was safe? Malicious images in search are using BlackHat SEO and PHP scripts to evade Google’s URL and image detection technology. Malicious image search propagation is a very real threat for endusers. I’ve been seeing some malicious activity regarding Google image search, and security analysts whom I know well, do support me on this finding.

Fake malware websites are popping up that host popular pictures i.e. photographs of famous people or people in the news. In addition to malicious websites, hackers are using code injection to redirect users when they click on an image, which then takes them to a website which then attempts to download and install a fake antivirus application (often referred to as rogueware or scareware).

Malware writers will develop advanced scripts that automatically monitor Google Trend Queries and create artificial web pages – this is the BlackHat SEO component. You can now see how the hackers generate webpages with artificial content. The webpages contain both text and images that are copied from other websites to maintain authenticity.

The hackers will target primarily legitimate websites. Once the source website has been exploited the PHP scripts are uploaded. The scripts are used to identify and locate the images via search engines i.e. Google. The malware writers would then create their scripts that look for Google bots which deliver a special page back containing automatically generated content. Google then parses the embedded links to images which then populates the image search database. Clever :) So, what is the real issue?

When you search Google images, thumbnails of images are displayed. A malicious image with embedded URL will appear in a certain position (normally high position) in search – anyone who knows BlackHat SEO will know what I’m talking about here. The exploit occurs when a user inadvertently clicks the image. Hover over the thumbnail and then click the thumbnail and the image will be shown on the center of the page (iframe/XSS exploits are a real problem here), with links to the original website on the right handside and the original thumbnail in the background.

A browser will send a request to the malware page which then executes the malicious script on a legitimate website. The script checks to see if the webpage contains a Google click, JavaScript will then execute and the browser is automatically redirected to a fake website which hosts the rogue antivirus. Google appears to have made some headway with image search protection whereby it’s a lot harder to hijack top rated images using hot-linking and unusual unintelligble keywords. But more needs to be done to protect endusers who trawl beyond the top rated image search pages.

So, how do you protect yourself from image poisoning? Well, firstly you might want to think twice when clicking on a search image. Secondly I would suggest all users use a script blocker program i.e. NoScript Firefox add-on (read more about JavaScript/XSS protection) and a sandbox (this will sandbox images you download and deny malware/scripts access to the registry and system files). Some tech geeks also suggest removing the Google referrer HTTP header on the proxy (or use the requestPolicy add-on for Firefox – CSRFs anyone?), but this isn’t much use to non-techies, and being honest these are the very people that get infected. :(

Safe surfing folks!
Julian

This entry was posted in browser, google, malware and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>