Reader Stephanie told us that during an image search of a Mussolini image in google found a site downloading malware. I decided to look into this issue further to see what I could find. Before starting, please be careful on what you do, as this page is still alive. I clicked the image found in google. The following script was received from the host: The URL loads the following javascript, which is coded: After decoding, it rises an executable, MD5 ef42a441af5e5a250f18aeb089698c35. It does not perform any changes to the system, but it connects to 69.50.197.243 TCP port 8000 to further download for malware content. Such attacks are common. How to minimize the risk of these attacks? We can summarize some controls:
-- Manuel Humberto Santander Peláez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org |
Manuel Humberto Santander Pelaacuteez 194 Posts ISC Handler Apr 23rd 2011 |
Thread locked Subscribe |
Apr 23rd 2011 9 years ago |
Confused - did you just load the page displaying the image or did u download it?
|
Anonymous |
Quote |
Apr 23rd 2011 9 years ago |
I thought this was common knowledge, this is exactly why I use OpenDNS to block all access to non-whitelisted '.info' TLDs (among others) as well as running FireFox with NoScript.
|
Alan 3 Posts |
Quote |
Apr 23rd 2011 9 years ago |
SEO poisoning - Google Image search...
- http://community.websense.com/blogs/securitylabs/archive/2011/04/21/presley-walker-google-image-search-results-poisoned.aspx 21 Apr 2011 (leads to "Neosploit"...) . |
Jack 160 Posts |
Quote |
Apr 23rd 2011 9 years ago |
BTW, it should be noted that blocking URLs does -not- block IP numeric addresses, so the OpenDNS blocklist should be utilized as a supplement, at best.
. |
Jack 160 Posts |
Quote |
Apr 23rd 2011 9 years ago |
The nearest analog for NoScript in IE would be the Zones in the Internet Options > Security tab, which can be configured locally either by GUI or Local Group Policy, or by a domain policy. If you'd like to allow scripts (and/or Java and/or ActiveX) only on sites you explicitly approve, you'd add the desired sites to the Trusted Sites zone (after first setting the Trusted Zone's security baseline to something sensible like Medium-High). Disable the unwanted functionalities in the Internet Zone to suit your needs.
IE has had this capability since IE5, if I recall correctly. |
Jack 12 Posts |
Quote |
Apr 23rd 2011 9 years ago |
I followed one of the image redirects, it often leads to sites in the cz.cc domain. You can check these site at urlquery.net, however you need to specify the referrer otherwise you will just get a redirect to the homepage.
This is a report with the referrer added: http://www.urlquery.net/report.php?id=1357 infection vector's are Java and Acrobat Reader, best to keep those up to date ;) |
beamer 12 Posts |
Quote |
Apr 24th 2011 9 years ago |
I jsut found another one of these: http://antivirus-program-2011.ce.ms/fast-scan
It seems like when re-opening Firefox (after force-closing it through TaskManager, that it bypassed the "restore session choice" screen and it force-restored the session with this tab even active. SB |
Spam 5 Posts |
Quote |
Apr 25th 2011 9 years ago |
Funny this is a recent diary. We just implemented NetWitness' solutions (don't work for them, I'm a security pro for large online company), and let me tell you, we have detected over 15 zero-day malware downloads/infections in just the past few days. About 10 of the 15 came from google image redirect downloads. The NetWitness solution allowed us to completley follow the TCP stream and present everything exactly how it went down. Virustotal had about 1 or 2 vendors detecting them as very generic malware at the time of submission.
|
Anonymous |
Quote |
Apr 26th 2011 9 years ago |
Sign Up for Free or Log In to start participating in the conversation!