Fake AV - another attack method

In another thread I asked if anyone knew of a drive-by fake AV exploit that didn't use javascript, and I didn't get any response.

This one also involves scripting -- using poisoned images retrieved in a Google search. It's not new - the recent malware targeting Mac computers uses it:

how to remove macdefender?
https://discussions.apple.com/thread/3029554?tstart=0

But this is the first analysis I've seen as to how this specific image exploit works:

More on Google image poisoning
http://isc.sans.edu/diary/More on Google image poisoning/10822

Here is a screen shot of part of the script:

I don't have scripting enabled when doing searches, just as a precautionary measure.

regards,

-rich

 

I've often wondered why they use scripting to show the fake scans. I would have thought it would be possible to use for eg animated GIF's etc to achieve the same effect. Most people have this "feature" auto enabled by their browser/s, i would think ?

Also i seem to remember, but might be wrong, that using CSS in some way/s could be abused to deliver unwanted etc stuff. And that's free flowing in the browser, as far as i know !

So combining both methods even without scripting "might" do some nasty deeds. Whether or not user stupidity etc would still be required ?

 

Very interesting, Rmus! Thanks much for the breakdown.

A few questions, though, if you would. Let's say that a user has their browser configured to only allow Javascript and plugins on a whitelist basis, with the default behavior being to disable Javascript and plugins on domains otherwise. Let us also assume that javascript and plugins are active on the Google domain (otherwise, Google Image Search doesn't work - At least, not for me).

When the user clicks on the thumbnail, I assume the attack will still function - so the user will be redirected to the FakeAV site. But once there, I'd assume that javascript standards would be the preferred method of attack. In this case, will anything happen? Or will the whitelisting behavior render the attack toothless after landing on an unfamiliar domain?

 

Not I, says me!

I'm not familiar with much web programming - perhaps someone else can answer.

Looking at the codes, however, reveals that the scripts load more than just the fake scans: they use 'mouseover' script commands to keep the user in a loop, for example, and scripts to make popup messages continue by means of the 'onclick' script command. Here are popups from an Antivirus2009 exploit, when the user attempts to close the page by clicking on the "X":



regards,

-rich

 

I've not needed javascript to use Google Images.

But to test your question about whitelisting behavior, I'll enable javascript and search for bin laden:



I'll click on one. Hovering the mouse over the image|link, I can see that Google is retrieving the page from longwarjournal.org
and loading it into its Google domain, and I can verify that by seeing the URL in the browser addess line.
Since it's the same domain, javascript remains enabled:



Now, If I click on the longwarjournal.org link at the top of the page, I'm taken to their site, and I see the same page,
but since it's not the Google domain, javascript is not enabled:



And so with a redirect from a Google search via search engine poisoning: javascript would be disabled on the redirected page, even though it's enabled on Google.

(Google has been taking some heat regarding these SEO exploits using images, so they've been monitoring, and I didn't find any images that redirected.)

In the "Nothing is New" department: redirect exploits from Google searches have been around for at least 4 years.
Here at Wilders, back in 2007, member noway caught the 'sloantreefarm" exploit.
Compare the sloantree code with the first code sample in step 4 in the Diary I linked in Post #1:



The difference is that instead of clicking on a text hyperlink, as in the sloan exploit, the user clicks on an image hyperlink.
Slightly different type of code, but the result is the same: redirect to a bad site with a malicious script.

And so it goes...

regards,

-rich

 

Not you but most people would have animated GIF's active. And looking it up, it seems they have used them as part of exploits.

Remember the WMF fiasco

Me niether

We live in hope

Found this ?

Stuff's gone missing from your Post # 5 ?

 

We'll have to wait and see if the fake AV people use any of those techniques!

What's missing from post #5?

-rich

 

I thought you had some screenies in the "Missing" sections before your Edit ?

 

Images are missing.

 

Yes

 

OK, Post #5 is fixed. Sorry about the mixup!

https://www.wilderssecurity.com/showpost.php?p=1867718&postcount=5

 

Attackers Use Google Image Search to Distribute Malware

Attackers Use Google Image Search to Distribute Malware