Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

Archive

Posts Tagged ‘poison’
November 9th, 2011

AVAR 2011 [Day 1] – the web is not always what you expected

Hello from Hong Kong, the city where the AVAR Conference 2011 is taking place. We, Lukas and Jan, are here to make a presentation on “Google Image poisoning”.

We arrived to Hong Kong on Monday after a long flight from Prague. From the moment we got off the plane we knew that Hong Kong is completely different from what we are used to in Prague. Not only is the weather different – winter in Prague but summer in Hong Kong – the cultures are also completely different. I think that it would be unfair to try to compare Asia to Europe, so let’s move on.

completely different from world wide web...

there are different webs...

We were hungry when we got to our hotel and so we went for lunch. The lady at the Wharney Guang Dong hotel recommended us to a dim sum restaurant across the street. Well, I have to admit that it was really good advice. The place was spectacular and the food was delicious. We even ordered something called “duck web”. However, what we received wasn’t a web at all.

As you can see on the picture on the left. Honza (Jan) has a duck leg. It was quite a new experience to both of us, but… where is our web?

OK, let me make a long story short. We have a presentation at the AVAR conference at about Google Image poisoning. And there is a close connection between duck web and the poisoning. But, let me tell you, it’s quite difficult to write an article after midnight when you have jet lag and also after a welcoming drink with all the AVAR members. — So let me just fix the first sentence – there is a close relation between web and Google Image search poisoning attacks but … we’ll tell you more tomorrow after our presentation.

Comments off
May 17th, 2011

Google-images poisoning stats

I think most of you have probably heard about Google-images poisoning, but what is it?

When a user performs a Google Image search, images from an attacker’s page can be shown at a certain position in the results page. The exploit happens when a user clicks on the image. Google displays an iframe to a legitimate site. The  browser will  then send a request to the page running the attacker’s script. This script checks the referrer and, if it is Google, the script starts new JavaScript. This causes the browser to be redirected to another site that is serving a fake antivirus.

More thorough technical  information about this attack could be found on the Unmask Parasites blog or the ISC site. In this blog, we only tried to focus on the data from the avast! Community IQ database to show how big this attack was, and to look at how many domains are still infected — with their admins either unknowing or not paying much attention to their websites. Read more…

February 18th, 2010

Ads poisoning – JS:Prontexi

The malware usually spreads through web infection placed on innocent, badly secured websites. The ad infiltration method is growing in popularity alongside with the website infections. Now we are facing probably the biggest ad poisoning ever made – all important ad services are affected. It means that users might get infected just by reading their favorite newspaper or by doing search on famous web indexers. User interaction is not needed in this attack – infection begins just after poisoned ad is loaded by the browser – it is not a type of social engineering. We named the source of this attack JS:Prontexi – JavaScript code which initiates infection on victims computer using various vulnerabilities including latest PDF exploits.

Read more…

Categories: analyses, Virus Lab Tags: , ,