I read some security articles,they were like : A lot of people are searching picture related to osamas bin laden death but some links can redirect to fake scanner pages.I decided that i would go and hunt some of them.Using google i searched for “osama bin laden dead photos”,many pictures came up,guess what.I tested 2 links they were both infected,when you click them,they show a message box saying"Your computer is at risk of malware,press ok to install scanner etc".Avast didn’t detect them.
See attached(malicious pages highlighted in yellow).So,here is the deal,if you wanna save your computer you must open task manager,kill your browser(mozilla in my case) and then clean cookies,i used CCleaner.If you don’t clean the cookies the same error comes up every time you open your browser.
wxx.nhatky.in is the malicious page.The other one is a redirect from noobtoob to nhtaky.
Report 2011-05-03 13:27:56 (GMT 1)
Website nhatky.in
Domain Hash dda17898a22500dfc38027aee4953f08
IP Address 96.30.37.212 [SCAN]
IP Hostname server.123breakingnews.com
IP Country US (United States)
AS Number 19066
AS Name WIREDTREE - Cogswell Enterprises Inc.
Detections 1 / 23 (4 %)
Status SUSPICIOUS
MyWOT DETECTED(w/o users comment)
I hope next time avast will block this kind of site(s).
It seems that cybercriminals are there to exploit everything they can.
Add this site to next virus/webshield update please.
Regards
Sorry file was too large to attach it.
To be honest I think the image is totally unnecessary as it has nothing to do with the usual run of the mill social engineering trying to ride on the back of news to sucker people.
The image it a total side show and should be removed it brings nothing to the topic.
Hi Left123,
@DavidR,
Well those that have WOT installed have a rough guideline as on what image not to click through -yellows and reds and
check further on the whites - green are OK, we hope.
That may have been what the poster wanted to demonstrate “as per example”, at least that was what was meant
to be demonstrated I assume…
Left123’s suspicious or maybe malicious example had a red WOT circle on the Google image search page to alert the user.
To generalize the subject further any google image search page can deliver these threats,
- searchquery completely irrelevant -
there DavidR has a point. It all comes with the topic title - avast against malcoded image search results
or something like that would have been a bit more neutral subject title for Left123 to use, but the actuality of the threat is a relevant one i.m.o.
@Left123,
Complicating factor in scanning these links, can be the length of the normalized image URL,
well VT can handle them to check on …
Here there is only a yellow: http://www.webutation.net/go/review/nhatky.in
But web rep results are the only things to go on in these cases as far as I am aware,
to demonstrate that see this scan: http://www.virustotal.com/url-scan/report.html?id=7c58e7512d30cb26a17c4687a5947ec8-1304418287
(random non-related image)
polonus
Left, with all respect, the thread title is misleading… Seems that avast corporation made an statement pro Bin Laden…
I’ve just changed my mind and i agree with you ;D
Then click the first posts Modify button and change the Title to one that is more meaningful.
Hi Left123,
Well away from the fact that this topic now will have a new more adequate subject title, avast against malcoded image search results
in stead of Left123’s original topic title about Ossama…,
how can users protect against this threat?
NoScript and RequestPolicy extensions inside FX will fully protect against these malcoded image redirection threats.
WOT will give an indication as what image links not to click, but where do the avast shields come in?
It is a fact that the search query must be a hot news item, that will attract loads of possible victim clicks,
and this is in the line of what people could be infected with through clicking such a link, well rogue AV’s mainly -
see a recent detection here:
http://www.virustotal.com/file-scan/report.html?id=d708459d7169d11533337d736e64450da4e53880c4d7d346c37095603aa53e60-1303939909
polonus
Hi DavidR and Tech,
You two should follow Left123’s example and change the topic title accordingly ;D
pol
The difference being our title doesn’t appear in the listings.
Hi DavidR,
But now your comment does not make sense, well it is Left123’s thread, and it is right he changed his subject title
to “avast against malcoded image search results”, as I suggested to him,
polonus
So, it makes no difference within the topic, it is historic and doesn’t appear in the listings for the forum.