2011-04-23

another Microsoft virus...

Selecting an image on Google Image Search regularly minimizes the browser and pops up this annoying dialog.


Running Linux you know this is fake, but it is still annoying because (besides the minimizing of your browser) also opens a tab that refuses the back-button, and you don't get to see the actual image.


The first time this is funny (there is no C: drive nor a "My Documents" directory on "My computer").

Searching Google Images for something simple as "Axis Allies board 1984" and clicking on an image is enough to provoke it.

If you want to see the fun on Linux, use this link. Use at your own risk ;-)

http://www.google.com/imgres?imgurl=http://i.ehow.co.uk/images/a05/74/g6/axis-allies-board-game-rules-800X800.jpg&imgrefurl=http://madpeasant.com/cultivo-hasboro-axis-and-allies-board-game-download/&usg=__33uvjrDPcS0KU-Ifngk1w1ooYKI=&h=292&w=500&sz=146&hl=en&start=5&sig2=Uzaxsm4iXRrpvVidDNdnMw&zoom=1&tbnid=yFktGyapNI72ZM:&tbnh=76&tbnw=130&ei=MKeyTfGWCIaCOrHZ5IcJ&prev=/search%3Fq%3Daxis%2Ballies%2Bboard%2B1984%26hl%3Den%26safe%3Doff%26client%3Dubuntu%26hs%3DpRv%26sa%3DX%26channel%3Dfs%26biw%3D1912%26bih%3D1055%26tbas%3D0%26tbm%3Disch%26prmd%3Divns&itbs=1

(the url might not work since I reported it )

Click OK on this last dialog to close the tab.

14 comments:

pvandewyngaerde said...

See also this warning: (Published: 2011-04-23)
Image search can lead to malware download:


if you click on image found in google. The following script was received from the host ...

Iggy said...

I saw that once, unfortunately on a Windows machine. Not sure if it was from an image search.

I realized it was fake, but it was difficult to get rid of it.

Once I closed the window, I started a full malware scan.

Anonymous said...

On my computer (Ubuntu Linux, using Firefox), I get a screen that tries to mimic Mozilla.

Warning is Mozilla Security Software and not Microsoft/Windows
the screen afterwards mimics the look of phishing page.
I have to say it looks quite convincing... obviously the downloadable .Exe at the end won't work on this linux machine :p

Paul Cobbaut said...

@Anonymous: Did you try wine ? ;-)

TeRanEX said...

And that is why I use the NoScript add-on for Firefox

Anonymous said...

I've gotten this whilst browsing on an iPhone. Seriously, a C: drive on my iPhone? I had no idea that it was that capable!

Patrick said...

Testing it on Mac OS X using Safari it will auto download and try to run a package, MacProtector.mpkg.

Corrin Lakeland said...

That was impressive.

The graphics were slick, the scroll bars even worked correctly - far fancier than just popping up with a 'you have new mail picture'.

The finished result was an EXE called InstallInternetProtection_696.exe. I could easily imagine even moderately savvy windows users being tricked into running it.

Scary.

York said...

I just tried this on my linux system. When I ran it, it used the mozilla, something is really bad charcoal background with red inset as the scanner (As per anonymous comment 3). I was amazed and actually scared for a moment, that it identified my system correctly. Then it wanted me to download an exe, and all my fears went away. Next thing I thought I'd try was User Agent Switcher to IE 6. Then I got the page described in the post.

This is interesting, as if anyone has used http://panopticlick.eff.org, JavaScript will give a lot more information, even with the fake user agent, that would allow the site to fairly accurately identify the system it is running on. Probably the biggest give-away would be the high occurrence of the 'IcedTea' keyword. Also included would be the 'Totem' keyword, many lib* files, and finally this line: 'Plugin 7: iTunes Application Detector; This plug-in detects the presence of iTunes when opening iTunes Store URLs in a web page with Firefox'

remmers.anthony said...

I love the window title, though:
"wait a minute! this is important - we check your device"
Once they figure out how English works, we'll be *really* screwed!

remmers.anthony said...

I love the window title:
"wait a minute! this is important - we check your device"

Yes, please, you check my device. If they ever get a grasp of English, we're really screwed.

Jorge Blasio said...

This is scary, I opened that link on my Mac and I got a Aua-fied snapshot of a faked trojan analysis. Safari downloaded MacProtector.mpkg immediately and OS X opened the installer. Of course you're still prompted for your password, but still, very sophisticated...

http://dl.dropbox.com/u/11966925/Faked-analysis.png

http://dl.dropbox.com/u/11966925/Trojan.png

kai said...

Not only does that link still work after being reported, but it seems that they've crafted a Mac version of the page as well. Going to that link from Safari on a Mac launched a Finder-like window reporting all these issues with my machine, as well as downloading anti-malware.zip and I'd say it would be enough to fool a non-technical user for sure.

Anonymous said...

My mother fell for this and actually downloaded an executable from it, but thankfully told me about it before she ran it.