January 27, 2010 By Andrew Brandt

Fakealerts Invade Google Image Search Results for ’24’ Star

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

Searchers beware: Those photos of celebrities or funny cat pictures that turn up in your Google image search results might not be photos at all, but fake antivirus alerts. Evidence appears to indicate that a similar scam to one we blogged about last November may be working its way up the Google food chain into other forms of search results.

While searching for photos of Annie Wersching, an actress who recently joined the cast of the TV show 24, we stumbled into one of these javascript-enabled fakealert browser traps. Oddly enough, when you click one of these bogus linked pictures in the Image Search results frame, the original Google search frame remains at the top of the page. The fakealert runs in the lower part of the page, closing the Google search pane but retaining the Google URL in the browser’s Address Bar.

Throughout the day we’ve been looking for links such as these; Each malicious URL we found funnels the browser into the same fakealert, which itself leads to the same rogue antivirus product. Each time we revisited the site, we ended up with what was essentially the same equally nasty rogue antivirus application, sometimes in a different skin, sometimes with a different name. Early in the day we were pulling down something called Total Security. By the afternoon, the tool’s name had morphed to become Security Tool.

The rogue’s behavior on an infected system is obnoxious in the extreme. It hides the desktop by covering everything over with its own wallpaper, and blocks your ability to right-click the desktop, so it’s more difficult to revert the desktop’s appearance by changing your Display Properties settings. It also disables the scroll wheel on the mouse, then blames that behavior on a massive infection it claims has taken over your PC. It prohibits most Internet-capable applications, or even tools like the Task Manager, from running, in the guise of its “firewall” component. Of course, it’s all smoke and mirrors, an attempt to convince you to spend from $50 to $90 on completely ineffective, utterly useless former-Soviet snake oil.

The fakealert spins up in the lower pane of the Image Search page; When it runs, it immediately closes the upper pane of the results window. Unfortunately for Google, the way the fakealert runs make it appear to originate from Google’s server, even though it’s running from elsewhere.

The scripted fakealert page redirects the browser to download an installer about 1MB in size. The installer, in this case, delivered something called Security Tool. Tool, indeed. It claims there were dozens of malicious files on our completely clean testbed.

The rogue also interferes with the execution of standard applications, like Internet Explorer.

And also prohibits other Internet-capable apps from making connections, using excuses that might appear plausible but are nothing but a load of malarkey.

But could you really call it a rogue antivirus if it didn’t claim that Spyware.IEMonster was trying to eat you up? Don’t worry, it’s got that covered, too.

Remember our previous advice when it comes to these kinds of fakealerts. The moment you see something like this appear, hit Alt-F4 on your keyboard to immediately terminate the browser you’re using. You might have to click “Cancel” on a dialog box, but just keep telling the fakealert no, and it’ll eventually run its course, and stop asking. Killing the browser will prevent the fakealert from appearing, and keep you from inadvertently downloading something you’d later regret. You can always find your way back to the pages you need to use.
wordpress blog stats

Share Button

Trackbacks

  1. […] Webroot Threat Blog WEBROOT – INSIGHTS INTO THREATS AND TRENDS FROM OUR INTERNET SECURITY EXPERTS « Fakealerts Invade Google Image Search Results for ‘24′ Star […]

true