Hijack attempts when using Google Images

Pawnless Endgame · 24 Apr 2011 at 17:00

In roughly 1 out of 30 searches, the picture result hijacks my browser to a rogue antivirus page.

▼ Searching for Easter-related pics:

▼ Viewing the desired pic:

▼ After a few seconds, image result is hijacked as follows:

▼ When closing the tab, commence aggressive script:

This happens on a new installation of Firefox 4.0. I have the Adblock add-on, realtime AV protection, realtime teatimer running from Spybot S&D and a modified HOSTS file. I don't go looking for pr0n sites or pirate software and I certainly don't do those cursors, smilies or Incredimail crap which are known to attract problems. Nothing have shown up on my hard disk from manual malware scans either. Could this be that a rogue domain have hijacked the image result and is doing it to a few of my other image results? A bit alarming though to be affecting 1 in 30-ish.

Excuse large font on the pictures and black background. I'm visually impaired. Thanks.

cokecan · 24 Apr 2011 at 17:05

maybe run a quick malwarebytes scan and see if it picks anything suspicious up?

Does seem odd that you seem to get this as often as you say

Duke · 24 Apr 2011 at 17:37

Yep I went to page that tried to do this. I think its the one causing the fake AV software to install if you click OK or maybe using IE.

http://forums.overclockers.co.uk/showthread.php?t=18263836
http://forums.overclockers.co.uk/showthread.php?t=18263626
http://forums.overclockers.co.uk/showthread.php?t=18247308

Pawnless Endgame · 24 Apr 2011 at 18:08

Thanks both of you :-)

@ Cokecan - I performed full MBAM scan across all partitions just now and didn't find anything, not even cookies.

@ Duke - looks like the problem is server-side and is hijacking the results rather than my browser. Thanks for confirming by trying it out yourself too. Hope it wasn't too risky!

Duke · 24 Apr 2011 at 18:17

Monserrat said:
@ Duke - looks like the problem is server-side and is hijacking the results rather than my browser. Thanks for confirming by trying it out yourself too. Hope it wasn't too risky!

Didn't do it on purpose

Yep I think its a server side hack and then quite easy to get the virus on a single click.

v0n · 24 Apr 2011 at 19:05

It's just yet another google image search poisoning. It's been discussed around the net for several months and it would be relatively simple for google to fix, but for some reason image search is not actively developed or fixed and I suppose it was only question of time before malware vendors and hit hogs started circumventing simplicity of that search engine.
Malware crock will eventually get filtered out by adblockers but what is more annoying is search hijacking - many technical keyword searches already suffer from cache redirections - as an example - type into google your image search: wavefrontier T90 "correct elevation" (precisely that, including quotes around the second part) - just about every image in top lines is cached as a redirector, to a bull site - final url seems to vary depending on area, but most of that particular keyword search in image section is wholesale poisoned.

hyperst · 25 Apr 2011 at 12:45

yeah getting the same here on two different PC's , noticed a lot of this lately, I was just looking at bench tables and it the security message rubbish pop up, my lad got it twice this week and with him being 11 years old clicked the OK, so had to shut down his pc and start in safe mode and all that, getting a little annoyed with this rubbish now

zzzJonny · 26 Apr 2011 at 12:27

I've noticed this recently too, but without clicking okay on the original message and closing the tab, there isn't any other nag screen apart from 'are you sure you want to leave this page?'

David_VI · 26 Apr 2011 at 12:49

This is happening everywhere

These things spread like crazy.

twist3d0n3 · 26 Apr 2011 at 13:36

had that the other day, closed browser and ran malwarebytes/MSE, didn't find anything

SickAsAParrot · 26 Apr 2011 at 14:26

Picked up a TDSS Rootkit from GIS last week, had to do a rollback to get my PC running again, then run Kasperskys TDSSkiller, then reinstall trashed Avira. Pain in the A$$.

demonix · 26 Apr 2011 at 15:47

Monserrat said:
This happens on a new installation of Firefox 4.0. I have the Adblock add-on

If that is just plain Adblock your using then I'd suggest removing it and installing the Adblock plus add-on and using the easylist block list since the usual MO for these kinds of things is through scripts hidden in adverts (adding the noscript add-on should add an extra layer of protection).

There's also a feature added to firefox 4 that alerts you when a site is attempting to re-direct you or reload the page.

Also I'd suggest getting rid of spybot since it went downhill ages ago and the teatimer is a risk point for getting infected.

AtaRo · 26 Apr 2011 at 17:56

Add Noscript to your addon.