Forgot your password?
typodupeerror
Google Security IT Technology

Poisoned Google Image Searches Becoming a Problem 262

Posted by Soulskill
from the quick-search-for-the-antidote dept.
Orome1 writes "If you are a regular user of Google's image search, you might have noticed that poisoned search results have practically become a common occurrence. Google has, of course, noticed this and does its best to mark the offending links as such, but they still have trouble when it comes to cleaning up its image search results."
This discussion has been archived. No new comments can be posted.

Poisoned Google Image Searches Becoming a Problem

Comments Filter:
  • by metalmaster (1005171) on Saturday May 07, 2011 @08:20PM (#36059342)
    I was looking up images for a VP shunt when I came across a few poisoned links. I got scared for a minute because just hovering over the image triggered the payload for one of them
    • by WrongSizeGlass (838941) on Saturday May 07, 2011 @08:25PM (#36059364)
      To protect myself against these poisoned image search results I make sure I always use Lynx when I search for images.
    • by ae1294 (1547521)

      I was looking up images for a VP shunt when I came across a few poisoned links. I got scared for a minute because just hovering over the image triggered the payload for one of them

      That's why I've spent years building up a tolerance to poison links...

      • by Anonymous Coward on Saturday May 07, 2011 @11:39PM (#36060086)

        Dread Pirate Google: All right. Where is the trojan? The battle of wits has begun. It ends when you decide and we both click, and find out who is right... and who is hacked.

        Vizzini: But it's so simple. All I have to do is divine from what I know of you: are you the sort of man who would put the trojan into his own link or his enemy's? Now, a clever man would put the trojan into his own link, because he would know that only a great fool would click on what he was given. I am not a great fool, so I can clearly not choose the link in front of you. But you must have known I was not a great fool, you would have counted on it, so I can clearly not choose the link in front of me.

        Dread Pirate Google: You've made your decision then?

        Vizzini: Not remotely. Because Zeus comes from Eastern Europe, as everyone knows, and Eastern Europe is entirely peopled with criminals, and criminals are used to having people not trust them, as you are not trusted by me, so I can clearly not choose the link in front of you.

        Dread Pirate Google: Truly, you have a dizzying intellect.

        Vizzini: Wait till I get going! Where was I?

        Dread Pirate Google: Eastern Europe.

        Vizzini: Yes, Eastern Europe. And you must have suspected I would have known the trojan's origin, so I can clearly not choose the link in front of me.

        Dread Pirate Google: You're just stalling now.

        Vizzini: You'd like to think that, wouldn't you? You've beaten my firewall, which means you're exceptionally strong, so you could've put the trojan in your own link, trusting on your strength to save you, so I can clearly not choose the link in front of you. But, you've also bested my antivirus, which means you must have studied, and in studying you must have learned that root is hackable, so you would have put the trojan as far from yourself as possible, so I can clearly not choose the link in front of me.

        Dread Pirate Google: You're trying to phish me into giving away something. It won't work.

        Vizzini: It has worked! You've given everything away! I know where the trojan is!

        Dread Pirate Google: Then make your choice.

        Vizzini: I will, and I choose-- What in the world can that be?

        Dread Pirate Google: What? Where? I don't see anything.

        Vizzini:Well, I- I could have sworn I saw something. No matter.

        Dread Pirate Google: What's so funny?

        Vizzini: I'll tell you in a minute. First, let's click. Me on my link, and you on yours.

        (They both click.)

        Dread Pirate Google: You guessed wrong.

        Vizzini: You only think I guessed wrong! That's what's so funny! I switched links when your back was turned! Ha ha! You fool! You fell victim to one of the classic blunders! The most famous is never get involved in a land war in Asia, but only slightly less well-known is this: never go in against a Sicilian when pwnage is on the line!! Ha ha ha ha ha ha ha!! Ha ha ha ha ha ha ha!! Ha ha ha--NO CARRIER

    • what does poisoned even mean here?

      • by Lost Race (681080)
        Good question. And what does "triggered the payload" mean?
      • by jimicus (737525)

        Click on the link and abracadabra, as if by magic your computer is infected with malware.

        I had one yesterday through stumbleupon - it showed a webpage claiming to scan for (and naturally find) malware and at the same time triggered the download of something calling itself anti_malware.zip. I don't know if it would have exploited a browser hole to install itself had I been running Windows or if it was simply banking on me running the download.

  • by Anonymous Coward on Saturday May 07, 2011 @08:35PM (#36059392)

    From TFA: "it displays another script - this time it's a JavaScript one - that redirects the browser to another compromised site that serves malware."

    By 2011, it should be considered "web 101" to not run javascripts unless you have a reason TO run them. Most people seem to just run any old javascripts by default, without having the first clue what it might be doing. There can't be much debate that it's a stupid course of action, given how many people's machines are jacked by exactly that attack vector (albeit possibly using another as well).

    Yeah, yeah, I know, you need javascript for your bank. That's great: whitelist your damn bank. But run only javascripts on your *whitelist*, not any thing any random yahoo from a site you've never heard of before wants you to run. Would you treat your physical possessions that way? Would you let a drug gang in eastern europe borrow your car with your permission? If not, why would you allow them to use your computer?

    I swear that the reason I haven't had a malware in my entire PC using history, and others seem to have them on a weekly or monthly basis, is because I don't completely shut off my brain once the words "... on the computer" appear in a sentence.

    • by Frosty Piss (770223) * on Saturday May 07, 2011 @08:48PM (#36059446)

      By 2011, it should be considered "web 101" to not run javascripts unless you have a reason TO run them. Most people seem to just run any old javascripts by default...

      This is not going to happen. Many major websites, many of the highest traffic websites involve hundreds of JS scripts to make a single page function. Web 2.0 and all...

      The *average non-techie web surfer* is simply NOT going to turn off JS.

      Will not happen... So, it's not realistic or productive to waste time discussing such an option.

      Sad, but true.

      • by Anonymous Coward on Saturday May 07, 2011 @09:10PM (#36059558)

        This is not going to happen. Many major websites, many of the highest traffic websites involve hundreds of JS scripts to make a single page function. Web 2.0 and all...

        Ironic, given that Google recently (this month) just changed its behavior to practically require Javashit.

        Old hotness: (1) Google "foo". (2) Click "Images" tab at top of screen for a GIS for "foo".

        New and busted: (1) Google "foo". (2) Click "Images" tab at top of screen for... "Your search - foo - did not match any documents." (3) curse, click "Images" tab again - to go to http://www.google.com/imghp?hl=en&tab=ii [google.com], and (4) have to type "foo" again in order to GIS "foo". (Or remember to start at images.google.com, which is an issue when you might not be sure which terms to use when searching for the image in the first place)

        Turn Javashit on, and clicking the tab works just fine... but whatever Google changed broke the non-Javashit version of GIS.

        Sorta like last month - maps.google.com is an AJAX app, so it's reasonable for it to require Javascript. But it used to work fine without cookies enabled. Now, it requires both Javascript and cookies. Interesting.

        Just tested/confirmed both of these on Firefox 3.6.16.

        What Facebook does overtly, Google does by benign neglect and failure to regression-test. What's next? Google services simply stop working for Firefox and require Chrome?

        • Re: (Score:2, Interesting)

          by Anonymous Coward

          You can fix this by adding "&gbv=1" to your search search string. If you want it as a seach plugin save http://pastebin.com/GswQX4V5 as an xml file in your searchplugins folder.

        • by brentrad (1013501)
          Tried just what you suggested in Google Image Search (in Firefox 4.0.1). Javascript blocked with NoScript: worked. Javescript not blocked: worked. Might want to check it again, or upgrade to 4.0.
      • This is not going to happen. Many major websites, many of the highest traffic websites involve hundreds of JS scripts to make a single page function. Web 2.0 and all...

        The *average non-techie web surfer* is simply NOT going to turn off JS.


        They will after their machine has to be taken into the shop again for maintenance due to being infected by drive-by exploits like this.

        I've converted quite a few non-technical users over to using Firefox + FlashBlock + NoScript over the past few years. The results
        • Re: (Score:2, Informative)

          by Anonymous Coward

          Firefox + FlashBlock + NoScript

          What's the point? NoScript is FlashBlock and then some.

        • by Frosty Piss (770223) * on Saturday May 07, 2011 @09:35PM (#36059656)

          They will after their machine has to be taken into the shop again for maintenance due to being infected by drive-by exploits like this.

          You might think, but there is a lot to suggest that what you suppose is not the case.

          The fact is, the average non-techie user values "interactive" over "secure". Those in the business of servicing PCs on the consumer level will tell you this.

          • by toygeek (473120)

            Yes, I will tell you this. Indeed, people want their computer to be like a microwave. They don't care how it works and as long as it puts out hot food they're happy. I still get people running IE6 and 7 and Firefox 2.0. They don't give a hoot about security, and most of the time they have no idea what is secure and what isn't.

            Drive by's are unavoidable, but with some education we help our customers keep from being infected.

          • by houghi (78078)

            The reason this is not the case is because the current ITers are the past script kiddies who LOVED to help out the neighbor and reinstall stuff. So WE trained the people that this was normal.

            Ask a non-tech users and he will say it is normal that PCs get slower over time. "Normal" means here "To be expected".

            I doubt many people say "I work in IT and will charge your the official amount I charge others, grandma." I do so by saying they should ask for support with their supplier. I then explain I offered the i

      • Why sad? THe ability to have portions of the page refresh without round-tripping to the server for a whole new page is only one of the highly useful functions provided by JS.
        • by Undead Waffle (1447615) on Saturday May 07, 2011 @10:03PM (#36059764)

          Why sad? THe ability to have portions of the page refresh without round-tripping to the server for a whole new page is only one of the highly useful functions provided by JS.

          It's useful when used correctly. But when all of the links are JS and I can no longer middle click to open in new window I get annoyed.

          • by 0123456 (636235)

            It's useful when used correctly. But when all of the links are JS and I can no longer middle click to open in new window I get annoyed.

            And I really hate sites which break the back button because the site is all Javashit. Hotmail is a glaring example.

    • by blindseer (891256) <blindseer@ear t h link.net> on Saturday May 07, 2011 @08:56PM (#36059482)

      It's 2011, there should not be anything a Javascript can do that is harmful to your computer.

      • Re: (Score:2, Offtopic)

        by Nyder (754090)

        It's 2011, there should not be anything a Javascript can do that is harmful to your computer.

        It's 2011, where's my damn flying car?

      • by jabberw0k (62554) on Saturday May 07, 2011 @11:04PM (#36059976) Homepage Journal
        Indeed. This whole article confuses me. I have been doing web development since the 1990s and the whole point of Javascript was that it cannot cause a program to be run or installed on your computer... otherwise the web browser is insecure. If Javascript code can permit code to run on your computer, that would be a show-stopping browser bug! If that is true, then the only way to prevent this is to stop using that broken browser entirely. But that cannot be the case, can it?

        I find it hard to understand why this whole article is a problem...

        • by Waccoon (1186667) on Sunday May 08, 2011 @05:26AM (#36061242)

          Because browsers allow 3rd party Javascript to run as if it were 1st party. This makes advertisers happy.

          I've been complaining about this for years, but so long as the new economy demands that browsers be supported through sponsorships and ads, security just won't become a priority.

          Hell, reading a PDF can infect your PC with a virus? I've got a great idea... let's build a PDF reader right into the web browser, and for bonus point, you can't disable it. It's okay, we built a sandbox for it, and made JavaScript twice as fast for good measure. Oh, but we still won't include support for [insert FOSS codec of choice here] because it will make the browser too bloated.

      • by jimicus (737525)

        Because the very act of surfing the web is - from a security perspective - probably one of the most stupid things to have happened in the whole of computer history.

        And I'm not exaggerating.

        The first thing anyone who gives a damn about IT security learns is "don't open any old random garbage". How important this rule is (and how easily it's forgotten) was first brought home with things like ILOVEYOU - and that was 11 years ago, FFS. As a result, mail systems have been getting ever more paranoid about accep

    • by AsmordeanX (615669) on Saturday May 07, 2011 @09:14PM (#36059574)

      I tried running with Javascript disabled. Five years ago you could get away with it. Now so many sites, especially with jQuery being so pervasive, simply don't work with JS disabled or you get an ugly broken thing.

      I hear the claim, "Well you can run it on trusted sites". What has the site done to earn my trust? Why couldn't a malicious site appear interesting enough to prompt you to turn JS on and thus be attacked. Only a little social engineering can defeat NoScript. Whitelisted sites can become compromised as well.

      • Only a little social engineering can defeat NoScript. Whitelisted sites can become compromised as well.

        But your whitelisted sites -should- have a decreased chance of being compromised and infected. Thus it is safer than allowing everything, and more functional than blocking everything.

        Honestly I can't understand people who act as if NoScript is a huge security risk or the devil when most people, including myself, would choose "allow all javascripts" if their only options were all or nothing.

      • by brentrad (1013501)
        I run with NoScript all the time, it's not really a problem if you're a geek. You need to make a judgement about the site you are visiting. Does it look a little sketchy, and was it just some joke link someone sent me? It stays blacklisted, and if the site doesn't work, well then I'll live without viewing it. Is it the front page of the New York Times? Well you can probably safely whitelist the main domain - if the page still doesn't work, whitelist each domain selectively until the page works - but don't w
    • by Low Ranked Craig (1327799) on Saturday May 07, 2011 @09:15PM (#36059580)
      Uh, no. Javascript is required for a significant portion, I'd say most, of the high traffic sites out there. It is simply not feasible, or acceptable to suggest that all users disable a significant portion of the functionality of the web.
    • "By 2011, it should be considered "web 101" to not run javascripts unless you have a reason TO run them. "

      I tried the noscript crap for a moment, every single page has tons of javascript, most of them don't work if its disabled. Its possibly you just browse to your homepage made in notepad, but for the rest of the world YOU MUST HAVE JAVASCRIPT ON.

      • by Abstrackt (609015)

        Try YesScript [mozilla.org]. You can blacklist sites that cause problems while letting the rest through without having to explicitly whitelist them.

        • by 0123456 (636235)

          Try YesScript [mozilla.org]. You can blacklist sites that cause problems while letting the rest through without having to explicitly whitelist them.

          Great idea. Then I can blacklist www.thissiteissafehonest.com _AFTER_ it's used Javashit to download malware to my computer.

          Disabling Javashit by default is the only safe way to browse the web these days.

    • That's the problem. They had a GREAT web search page but then had to fuck it up with IFRAMES (web security 101: IFRAMES are not made for use outside a corporate firewall) and eight layers of javascript. I use google image search a LOT and the solution ultimately came down to me carving out a command line google grabber as a means to avoid all their bullshit.

      gggrabber -a -s xga +its+britney+bitch|wget -i -

      It sucks not having instant real time update on search terms, but it's a lot less dangerous to sort thro

    • Make use of Firefox's Prefbar. That has simple check boxes that you can click on when you need Javascript and Flash enabled. Otherwise, keep them turned off until needed.

    • by houghi (78078)

      So if I want to search images with Google, should I turn it off or on? Should Google be on my whitelist or not?

  • by Mashiki (184564) <mashiki@gmailCURIE.com minus physicist> on Saturday May 07, 2011 @08:38PM (#36059398) Homepage

    Can we scrap the entire js system now and rebuild it from scratch so it stays inside a fucking sandbox this time?

  • by Deathlizard (115856) on Saturday May 07, 2011 @08:46PM (#36059438) Homepage Journal

    At this point, I feel SEO poisoning is so bad on Google that I find myself using other search engines more since they don't seem to be as big of a target.

    Altavista, Ask and Bing have just been giving me more relevant search results lately. Google seems to like to show more SEO sites, forum reposters that just repost the same forum entries over and over and "Meta Search" sites such as software informer and alibaba.

    Image search Rogueware poisoning is yet another reason to start looking somewhere else for search results.

    • by Pseudonym Authority (1591027) <SammyKake.gmail@com> on Saturday May 07, 2011 @08:57PM (#36059486)

      Altavista, Ask and Bing have just been giving me more relevant search results lately.

      Somewhat interestingly, and wildly offtopic, Altavista is powered by Yahoo, and Yahoo is powered by Bing, so you are really only using at most 2 search engines. (Ask also outsources to someone, but they don't say who, so it may very well be M!r0$0f+ as well).

      • by Undead Waffle (1447615) on Saturday May 07, 2011 @10:06PM (#36059784)

        Altavista, Ask and Bing have just been giving me more relevant search results lately.

        Somewhat interestingly, and wildly offtopic, Altavista is powered by Yahoo, and Yahoo is powered by Bing, so you are really only using at most 2 search engines. (Ask also outsources to someone, but they don't say who, so it may very well be M!r0$0f+ as well).

        And Microsoft copies Google's search results so in the end everyone is just using Google!

    • Image search Rogueware poisoning is yet another reason to start looking somewhere else for search results.

      CORRECT. The more people stop using Google, the better their search will get -- They surely prioritize things; If everyone is displeased but keeps using their product out of habit then it's not as big of a priority. If they start losing lots of visitors over it then it will get fixed.

  • screenshots (Score:5, Informative)

    by cobbaut (232092) <paul.cobbaut@gmail.cLIONom minus cat> on Saturday May 07, 2011 @08:48PM (#36059444) Homepage Journal

    Two weeks ago I put some screenshots of what it looks like on my blog:
    http://cobbaut.blogspot.com/ [blogspot.com]

    • by MBCook (132727)

      I saw that particular trick when someone at my office ran into it about a year and a half ago. I realized what it was (they thought it was real) so I decided to try an experiment...

      I pulled up the address on my iPhone and got the same thing. It looks really neat to see an iPhone show Windows Explorer and run a fake virus scan.

      I was very impressed though. It's a quite convincing simulation, much better than the old generic "Your computer has a virus" image pop-ups with flashing text.

    • Re:screenshots (Score:4, Interesting)

      by bmo (77928) on Saturday May 07, 2011 @09:54PM (#36059722)

      I've seen it. It detects Chrome and puts up a fake Chrome screen.

      The problem is that the dialog is modal and steals focus from Chrome. You can't simply close the tab. So you click, it does its "scan" and gives a heads-I-win-tails-you-lose dialog and you click that and you wind up downloading a windows executable, and that's when Chrome finally steps in and says "hey, this is an executable file, do you really want this?" and that's the only place you can say no-thanks.

      The only other solution is to force-kill (kill -9) the entire Chrome window at the start.

      Chrome should allow you to close a tab and anything else attached to it, at any time. The current situation is unacceptable from a user's POV.

      I did this in Linux, but having wine installed means that this could be a vector for malware in Linux, too, with a little more work.

      inb4 "but no malware writer cares about linux" and "hurr, wineserver is a user process, so it makes no sense to have autorun malware as a user" (as if anyone ever checks his .bashrc or .profile). The only thing I see as a barrier to this foolishness is the relative intelligence of your average Linux guy (me) versus the typical Windows user in deciding not to run something thrust at the browser for download from a bad website.

      --
      BMO

      • by Barbarian (9467)

        Chrome should allow you to close a tab and anything else attached to it, at any time. The current situation is unacceptable from a user's POV.

        Chrome? Can't you use the Shift-Esc built in Chrome task manager and kill the window?

        • by bmo (77928)

          What ordinary user knows about the Chrome task manager?

          Remember that I'm trying to look at it from a "joe user" perspective, not an expert's perspective. Granted I said "kill -9" there but that was to illustrate the point that an ordinary user has no way to really back out once the script has started to operate, and that starts as soon as the person navigates to the page.

          --
          BMO.

        • by 1729 (581437)

          Chrome should allow you to close a tab and anything else attached to it, at any time. The current situation is unacceptable from a user's POV.

          Chrome? Can't you use the Shift-Esc built in Chrome task manager and kill the window?

          Actually, I just tried (Chrome on a Mac), and I couldn't kill the window through the Chrome Task Manager. Nothing I tried work: I either had to force-quit the browser or just click "OK" and let it run through the fake scan and download the .exe. I'm annoyed that Chrome doesn't seem to provide a way to block javascript hijacking (other than disabling javascript entirely or through explicit whitelists/blacklists). I don't EVER want a web page to be able to disable my right-click, back button, history, view pa

  • by Jaktar (975138)

    Since they're detecting Google, Bing is safe? Wouldn't Bing pretty much slurp the same data while crawling and display pretty much the same result?

  • Violence is required (Score:5, Interesting)

    by erroneus (253617) on Saturday May 07, 2011 @08:56PM (#36059480) Homepage

    The people who are doing this are criminals. They need to be stopped. It's as simple as that. Follow the money and beat the crap out of them until it stops.

  • by d6 (1944790) on Saturday May 07, 2011 @09:05PM (#36059542)
    I surf with requestpolicy and noscript up. It is utterly amazing the number of websites that can't render a page without firing scripts or loading content from 6, 8, 10 or more different domains.
    If you haven't tried these, do it and be amazed at how many sites load without stylesheets, pictures etc. It's amazing how badly shit is implemented - zero thought about graceful degradation.

    no script [noscript.net]
    requestpolicy [requestpolicy.com]
    • I just run AdBlock Plus. The newer versions include anti-XSS. A guy can load Firefox with to many addons, after all.

    • by Low Ranked Craig (1327799) on Saturday May 07, 2011 @09:25PM (#36059612)
      Not zero thought about degradation and not bad implementation. This isn't the same as developing for IE for example. It's simply that implementing features two ways - one for JS and one for no, takes more than twice as much effort, so it doesn't get done. I've told clients before about the JS issues, but what it comes down to is the client doesn't want to spend twice as much to service the 2% that turn off JS. Period. They get a message that tells them to enable JS to use those functions. It's cost vs. benefit 101.
      • by hedwards (940851)

        Which is really why companies need to be held accountable for exploits in their code rather than being allowed to require that somebody else pay for their incompetence. It worries me a great deal how many sites don't use https for log ins or insist upon not giving users a way of getting in without Flash.

        I'm sure we'd see serious movement quickly if all of a sudden they were themselves responsible for their actions or inaction as the case may be.

        • I agree. I have a few clients that have not popped for an SSL cert for their site and have people loggin in in the clear. I've explained it to them in detail, in writing. I don't get it, but there you go...
    • Same here: no script & requestpolicy. The amount of tweaking required to surf safely tends to make me visit less than a dozen sites regularly.
  • The summary contains two links. The first is to an article that plagiarises the second, padding the lifted paragraphs with barely intelligible proto-English. What a disgrace.
  • by Teckla (630646) on Saturday May 07, 2011 @09:15PM (#36059576)

    My wife got bitten by this just today.

    She navigated to a web page from a Google search result, and Safari automatically downloaded some malware and executed it.

    I didn't believe my wife's story at first, so I tried it. Sure enough, automatic download and execution on Mac/Safari.

    What the fuck, Apple and Safari?

    The only question that remains is whether I'll be moving her to Firefox or Chrome...

    • by larkost (79011) on Saturday May 07, 2011 @09:34PM (#36059652)

      It did not download and execute, it downloaded and opend the installer. Your wife would have had to go clicking through a an installer, and provided her admin credentials, in order to have installed/run something.

      While this is bad behavior, and will probably finally convince Apple that .pkg should not be on the list of auto-launched items, this is also not the "sky is falling" situation that your post makes it out to be.

      • by Teckla (630646) on Saturday May 07, 2011 @09:49PM (#36059698)

        It did not download and execute, it downloaded and opend the installer. Your wife would have had to go clicking through a an installer, and provided her admin credentials, in order to have installed/run something.

        Sorry, I'm not a Mac expert. All I know is that it automatically downloaded something, and automatically executed something. I'm not technically knowledgeable enough about OS X to know that, even though we immediately exited the malware installer, that nothing bad could possibly have happened.

        And I'm still not convinced the malware installer didn't do something bad before it popped up its first GUI window. I'm not accusing you of being a liar, but my wife uses her Mac to access our bank accounts and such. I have no choice but to nuke the site from orbit (reinstall OS X). I'd like to trust that because someone on the Internet said I'm safe and not to worry about it, that I can just plain not worry about it, but I just can't take that risk.

        At the end of the day, Apple/Safari's amazingly fucked up defaults burned us good and hard. It'll take me days to fully reload and reconfigure her machine.

        Thanks, Apple...

    • by slyborg (524607) on Saturday May 07, 2011 @09:37PM (#36059660)

      Turn off "Open Safe files after downloading" in Safari Preferences. (-_-)
      Chrome is definitely faster, but doesn't have NoScript and uses more RAM.

    • by jo_ham (604554)

      What was the link? What was the malware?

      I want to test this.

      What happened? I am assuming it downloaded an actual executable Mac application - by default Safari *will not* open these without your express permission, and then the system will also ask you for certain filetypes downloaded from the internet whether you really want to run them - the metadata logs the originating site.

      What *exactly* executed, and what was the result?

      I would be interested to know what malware got past, and what her settings in Safa

      • by Teckla (630646) on Saturday May 07, 2011 @10:02PM (#36059756)

        What was the link? What was the malware?

        I'm sorry to say I no longer have the link. I can tell you my wife was searching for something to the effect of "fairy wings" or "tinkerbell wings" with my young daughter, and that the link she ultimately clicked on was a .ms address. That might help you hunt down the same link, since this happened less than 8 hours ago.

        What happened? I am assuming it downloaded an actual executable Mac application

        I don't recall the exact thing it downloaded, but I recall it ended with .mpkg and was actually a directory I was able to navigate into using Terminal.

        It automatically popped up some kind of installer for MacProtector, which is apparently malware (based on my Googling). I'm pretty good on Windows and Linux, but I know next to nothing about the Mac. I'm not aware of any really low level geekery details like "Mac installers are always 100% safe! Just cancel out of them!" or anything like that. I'm confident it didn't have root access, but even with just my wife's login credentials, my suspicion is that it could have done a lot of damage.

        What *exactly* executed, and what was the result?

        She clicked on a Google search result. The Downloads dialog box popped up. It downloaded something almost too quickly for the eye to see. Some kind of malware installer than displayed a GUI. It looked like the very first step of the installer. There was a Continue button.

        I would be interested to know what malware got past, and what her settings in Safari were.

        I'm sure her Safari settings were almost entirely set to their defaults. The Mac is supposed to be the "safe" computer. Or so we thought...

        I'm sure the Slashdot crowd will come down hard on me over this. I fully expect my intelligence to be questioned and to be modded into oblivion. But really, I don't see how an average user should respond to this except to assume the worst and reinstall OS X.

        And I really do blame Apple for setting absolutely bone headed defaults on Safari.

        • by techtech (2016646) on Saturday May 07, 2011 @10:24PM (#36059842)
          Safari / Mac OS X latest versions as 08.05.2011 CET As I happen to use the Google image search a lot, and open each image (from google results) in a tabs (collect them) and after that reviewing them. Today I searched for different architecture related things and managed to open this this FAKE AV page, a lot of times, differnt pages. And the file that is downloaded is "anti-malware.zip" [1,9 MB on disk (1 872 571 bytes)]. This file contain "MacProtector.mpkg." I am sure I do not have the default settings, because I review every programs settings before I am starting using it, as a common proceedure. I have the open secure files automatically option off, it was not opened. As far as I know Safari does not consider a zip a secure file, and there is not an automatic execution of mpkg inside a zip as standard?
          • by jo_ham (604554)

            No, Safari won't execute a an .mpkg as standard - that's an installer file and would require other user interaction (clicking next etc) to step through, and your admin password if it was going to go outside your home folder at all. So if you don't fall for the social engineering you can stop it at that point.

            It looks like it must be a trojan of some kind, but no different to any standard trojan: you have to have the user install it.

          • by cathector (972646)

            i had a very similar experience yesterday. was GISing in safari for "blanket octopus" and suddenly the osx installer was running. the offending file was also MacProtector.mpkg, which had been downloaded to the desktop.

        • by jo_ham (604554)

          It sounds like a trojan of some kind. By default (and Safari had the default options changed a few versions back - I can't remember if it was to be off by default or by on, mine is set to "off"), and while it will treat a zip file as ok to decompress and a disk image similarly (it will mount them with that checkbox on), the .mpkg is an installer package, rather than the trojan itself and as you saw you need to step through it manually (and provide admin password if it goes outside home) to get it to install

      • by armanox (826486)

        Not sure if this is what they ended up with, but see the blog post linked in this post [slashdot.org] that goes to it. Warning - Windows boxes are also very vulnerable to the same link.

        • i decided to be a little adventurous and opened the link on ie9/win7. brief glimpse of google image seacrh and then a 404 error.

  • They do not mention what the malware is.
  • This isn't really a search problem. The problem is break-ins to vulnerable sites that replace site content with phony pages leading to attacks. Google is finding the phony pages and indexing them. Mostly it's a WordPress or PHP problem.

  • I've personally reported poisoned links that transfers the users into Bing image search. Whether it's unintentional or not, it tricks some users into using Bing instead.

Suburbia is where the developer bulldozes out the trees, then names the streets after them. -- Bill Vaughn

Working...