Goodle Images hijacks

I was just reminded of this by a post in malware, posted on krebsonsecurity a couple of days ago.

Bottom line (currently):

 

Excerpt:

http://www.huffingtonpost.com/2011/05/06/google-images-malware_n_858845.html

 

I suspect that the experimental add-on by Bojan Zdrnaja is being worked on now by Google so that they can implement his technique into the main search engine a little filtering at source would be more difficult for the bad guys to bypass if they don't have publicly available code to work from.

 

Google images has become a hive recently I've almost given up using the resource which is a shame.

Glad to see the issue is being addressed.

 

And another article here: http://www.pcworld.com/article/227352/attackers_use_google_images_to_distribute_malware.html

So the question is this - how does the innocent surfer prevent these "drive-by" attacks? They can happen at any time, and at almost any site (not just the image sites mentioned in these articles) and has been happening for quite some time now. As we all know by now, these rogue (aka "fake") antivirus programs are all the rage now in the malware world and are designed (as far as I can tell) to scare the end user in to giving up a credit card number or bank account number to "purchase" the "antivirus software" that will "remove" all the "detected viruses" from their PC.... I have yet to discover ANYTHING that stops these attacks (or at least warns of their presence before it's too late) other than being aware, safe surfing, and a quick reflex to hit the reset/power button.....

 

.... I forgot to add - once infected, I have found these infections fairly simple to remove via PE followed by numerous scans with MBAM, SAS, TDSSkiller, and others. Stopping the payload before infection is what I'm after. I know that the paid MBAM, free AVG, free Avast, free Avira, paid Norton, paid McAfee do NOT stop the infection, and none of these remove it either, unless the PC is shut down VERY QUICKLY after the initial 'pop up'.

 

I remember WOT would give google images their colored *donuts* some time ago but have no clue why WOT won't work anymore in images.

At least one would have some sort of guidance in selecting which images were sorta safer although one never is certain with them. So I also have been staying away from those.

 

@dlb: closing the affected browser by using Task Manager prevents these infections. The risk of seeing the popups is much-reduced or even completely blocked by using a browser or browser plugin that denies the cross site scripting (XSS) that's used to load the popups.

OpenDNS set to block known malware sites, NoScript, a frequently-updated hosts file (immunise with Sypybot and SpywareBlaster or and/use hpHosts) and a non-Admin login is the best current answer, I think.

@oma: my guess is that WOT and their team (which includes many individuals from other security sites) simply cannot keep up with all of the newly hacked sites that are used as middlemen in these attacks.

 

I've been continuously using WOT in FF4 and my rating donuts have been there In Google images all along. Still today. Not foolproof by a longshot, but still another guide. And I use NoScript as well as MBAM in realtime.

 

Need to clarify that in "google" images with no script disabled in Fx 4, WOT works.

In Startpage (search engine - homepage) with no script disabled I don't get the WOT *donuts*.