Poisoned Google Image Searches Becoming a Problem 262
Orome1 writes "If you are a regular user of Google's image search, you might have noticed that poisoned search results have practically become a common occurrence. Google has, of course, noticed this and does its best to mark the offending links as such, but they still have trouble when it comes to cleaning up its image search results."
im glad im not the only one (Score:5, Informative)
Re:im glad im not the only one (Score:5, Funny)
Re:im glad im not the only one (Score:5, Informative)
lynx + zgv was how I used to view images on the Web about ten years ago. It worked surprisingly well, back before AJAX or Flash were used for navigation.
Re:im glad im not the only one (Score:5, Funny)
Re:im glad im not the only one (Score:4, Interesting)
Like ASCII Goatse?
http://www.nerdgranny.com/ascii-goatse/ [nerdgranny.com]
Re: (Score:2)
lol penis birds X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
Re: (Score:2)
I was looking up images for a VP shunt when I came across a few poisoned links. I got scared for a minute because just hovering over the image triggered the payload for one of them
That's why I've spent years building up a tolerance to poison links...
Re:im glad im not the only one (Score:5, Funny)
Dread Pirate Google: All right. Where is the trojan? The battle of wits has begun. It ends when you decide and we both click, and find out who is right... and who is hacked.
Vizzini: But it's so simple. All I have to do is divine from what I know of you: are you the sort of man who would put the trojan into his own link or his enemy's? Now, a clever man would put the trojan into his own link, because he would know that only a great fool would click on what he was given. I am not a great fool, so I can clearly not choose the link in front of you. But you must have known I was not a great fool, you would have counted on it, so I can clearly not choose the link in front of me.
Dread Pirate Google: You've made your decision then?
Vizzini: Not remotely. Because Zeus comes from Eastern Europe, as everyone knows, and Eastern Europe is entirely peopled with criminals, and criminals are used to having people not trust them, as you are not trusted by me, so I can clearly not choose the link in front of you.
Dread Pirate Google: Truly, you have a dizzying intellect.
Vizzini: Wait till I get going! Where was I?
Dread Pirate Google: Eastern Europe.
Vizzini: Yes, Eastern Europe. And you must have suspected I would have known the trojan's origin, so I can clearly not choose the link in front of me.
Dread Pirate Google: You're just stalling now.
Vizzini: You'd like to think that, wouldn't you? You've beaten my firewall, which means you're exceptionally strong, so you could've put the trojan in your own link, trusting on your strength to save you, so I can clearly not choose the link in front of you. But, you've also bested my antivirus, which means you must have studied, and in studying you must have learned that root is hackable, so you would have put the trojan as far from yourself as possible, so I can clearly not choose the link in front of me.
Dread Pirate Google: You're trying to phish me into giving away something. It won't work.
Vizzini: It has worked! You've given everything away! I know where the trojan is!
Dread Pirate Google: Then make your choice.
Vizzini: I will, and I choose-- What in the world can that be?
Dread Pirate Google: What? Where? I don't see anything.
Vizzini:Well, I- I could have sworn I saw something. No matter.
Dread Pirate Google: What's so funny?
Vizzini: I'll tell you in a minute. First, let's click. Me on my link, and you on yours.
(They both click.)
Dread Pirate Google: You guessed wrong.
Vizzini: You only think I guessed wrong! That's what's so funny! I switched links when your back was turned! Ha ha! You fool! You fell victim to one of the classic blunders! The most famous is never get involved in a land war in Asia, but only slightly less well-known is this: never go in against a Sicilian when pwnage is on the line!! Ha ha ha ha ha ha ha!! Ha ha ha ha ha ha ha!! Ha ha ha--NO CARRIER
Re: (Score:2)
Oh gods, I should NOT be laughing that hard at 3 AM...
That was great.
Re: (Score:3)
what does poisoned even mean here?
Re: (Score:2)
Re: (Score:3)
Click on the link and abracadabra, as if by magic your computer is infected with malware.
I had one yesterday through stumbleupon - it showed a webpage claiming to scan for (and naturally find) malware and at the same time triggered the download of something calling itself anti_malware.zip. I don't know if it would have exploited a browser hole to install itself had I been running Windows or if it was simply banking on me running the download.
web 101: don't run unknown javascripts (Score:4, Insightful)
From TFA: "it displays another script - this time it's a JavaScript one - that redirects the browser to another compromised site that serves malware."
By 2011, it should be considered "web 101" to not run javascripts unless you have a reason TO run them. Most people seem to just run any old javascripts by default, without having the first clue what it might be doing. There can't be much debate that it's a stupid course of action, given how many people's machines are jacked by exactly that attack vector (albeit possibly using another as well).
Yeah, yeah, I know, you need javascript for your bank. That's great: whitelist your damn bank. But run only javascripts on your *whitelist*, not any thing any random yahoo from a site you've never heard of before wants you to run. Would you treat your physical possessions that way? Would you let a drug gang in eastern europe borrow your car with your permission? If not, why would you allow them to use your computer?
I swear that the reason I haven't had a malware in my entire PC using history, and others seem to have them on a weekly or monthly basis, is because I don't completely shut off my brain once the words "... on the computer" appear in a sentence.
Re:web 101: don't run unknown javascripts (Score:5, Insightful)
By 2011, it should be considered "web 101" to not run javascripts unless you have a reason TO run them. Most people seem to just run any old javascripts by default...
This is not going to happen. Many major websites, many of the highest traffic websites involve hundreds of JS scripts to make a single page function. Web 2.0 and all...
The *average non-techie web surfer* is simply NOT going to turn off JS.
Will not happen... So, it's not realistic or productive to waste time discussing such an option.
Sad, but true.
Re:web 101: don't run unknown javascripts (Score:5, Informative)
Ironic, given that Google recently (this month) just changed its behavior to practically require Javashit.
Old hotness: (1) Google "foo". (2) Click "Images" tab at top of screen for a GIS for "foo".
New and busted: (1) Google "foo". (2) Click "Images" tab at top of screen for... "Your search - foo - did not match any documents." (3) curse, click "Images" tab again - to go to http://www.google.com/imghp?hl=en&tab=ii [google.com], and (4) have to type "foo" again in order to GIS "foo". (Or remember to start at images.google.com, which is an issue when you might not be sure which terms to use when searching for the image in the first place)
Turn Javashit on, and clicking the tab works just fine... but whatever Google changed broke the non-Javashit version of GIS.
Sorta like last month - maps.google.com is an AJAX app, so it's reasonable for it to require Javascript. But it used to work fine without cookies enabled. Now, it requires both Javascript and cookies. Interesting.
Just tested/confirmed both of these on Firefox 3.6.16.
What Facebook does overtly, Google does by benign neglect and failure to regression-test. What's next? Google services simply stop working for Firefox and require Chrome?
Re: (Score:2, Interesting)
You can fix this by adding "&gbv=1" to your search search string. If you want it as a seach plugin save http://pastebin.com/GswQX4V5 as an xml file in your searchplugins folder.
Re: (Score:2)
Re: (Score:2)
The *average non-techie web surfer* is simply NOT going to turn off JS.
They will after their machine has to be taken into the shop again for maintenance due to being infected by drive-by exploits like this.
I've converted quite a few non-technical users over to using Firefox + FlashBlock + NoScript over the past few years. The results
Re: (Score:2, Informative)
Firefox + FlashBlock + NoScript
What's the point? NoScript is FlashBlock and then some.
Re:web 101: don't run unknown javascripts (Score:5, Insightful)
They will after their machine has to be taken into the shop again for maintenance due to being infected by drive-by exploits like this.
You might think, but there is a lot to suggest that what you suppose is not the case.
The fact is, the average non-techie user values "interactive" over "secure". Those in the business of servicing PCs on the consumer level will tell you this.
Re: (Score:3)
Yes, I will tell you this. Indeed, people want their computer to be like a microwave. They don't care how it works and as long as it puts out hot food they're happy. I still get people running IE6 and 7 and Firefox 2.0. They don't give a hoot about security, and most of the time they have no idea what is secure and what isn't.
Drive by's are unavoidable, but with some education we help our customers keep from being infected.
Re: (Score:2)
Re: (Score:3)
Re:web 101: don't run unknown javascripts (Score:4, Insightful)
Why sad? THe ability to have portions of the page refresh without round-tripping to the server for a whole new page is only one of the highly useful functions provided by JS.
It's useful when used correctly. But when all of the links are JS and I can no longer middle click to open in new window I get annoyed.
Re: (Score:2)
It's useful when used correctly. But when all of the links are JS and I can no longer middle click to open in new window I get annoyed.
And I really hate sites which break the back button because the site is all Javashit. Hotmail is a glaring example.
Re: (Score:2, Informative)
As a professional web developer, we often write code that expects Javascript to work on our sites, because noone ever turns it off. We have some very high traffic sites, and outside of web crawlers, I don't believe we've seen it blocked, ever.
Re: (Score:3)
We have some very high traffic sites, and outside of web crawlers, I don't believe we've seen it blocked, ever.
NoScript claims to have downloaded 84,000,000 times, so I can only presume that people running it are unlikely to visit your sites.
Re: (Score:3)
And you're the kind of person who defines everything in the universe as 'black' or 'white'
Re: (Score:3)
Hopefully someone will mod you TROLL. Or MORON.
Why? Have I been Wooshed? I had to inform our own web devs that our website doesn't work without flash and JS, and they didn't see the problem either. It's as bad as a sysadmin suggesting RAID0 because he's never seen a drive die. Maybe troll for the TFB comment? I notified them of their error in 2002 when they changed to the big flash object (back when few people used flash), now that flash is being blocked in companies and iP[od/ad/hone]s don't have flash, it still boggles me why they don't have at l
Re: (Score:3)
If the head honchos say "we talked to marketing, they want widget foo to do thing bar when the user hovers his mouse pointer over it" then most of the time the devs can choose between "just do it" even if it means breaking things for those who don't have JS activated or disciplinary action.
It basically boils down to "It's not your website, it's ours, and we want shiny javascript everywhere, now implement it!". And yeah, I'm not a big fan of using JS unless absolutely necessary to get the desired results, bu
Re:web 101: don't run unknown javascripts (Score:4, Informative)
The trouble is that you likely get a substantially degraded experience on some sites. Many well developed sites use AJAX to speed up navigation[1], falling back on a full request when JavaScript is disabled. Similarly many sites implement convince features like jquery-based auto-completion which help make the site easier/faster to use, but again the site continues to function even with JavaScript turned off. You likely never even realize that you are getting a degraded experience because the site did not completely break.
That is a large part of the reason I actively do not recommend NoScript or similar solutions, favoring blacklisting known bothersome scripts, and using sadboxes and equivalent to guard against the unknown.
[1] You only need to download the changed portion, and browsers can update a page in place faster than re-rendering the whole page.
Re: (Score:3)
Course, near as I can tell, computers these days can re-render the page fast enough that it doesn't matter: It's internet connection speed and latency that's important.
I, for one, hate ajax crap: It's almost always slower for me(due to them always using multiple requests, across multiple servers usually) than a single, straight HTML page with everything else being cached. Of course, the ajax'd page loading new ad-code may have something to do with it -- Turning on NoScript speeds up some pages loading by 10
Re: (Score:3)
Actually in a lot of cases the partial page loads are there more to help the server than the client; a heavily-hit site can reduce bandwidth usage and processing overhead by a substantial amount by only processing/transferring the relevant portions of a page. The fact that it also may improve the end user experience is a nice bonus rather than the primary consideration.
Re:web 101: don't run unknown javascripts (Score:5, Insightful)
It's 2011, there should not be anything a Javascript can do that is harmful to your computer.
Re: (Score:2, Offtopic)
It's 2011, there should not be anything a Javascript can do that is harmful to your computer.
It's 2011, where's my damn flying car?
Re:web 101: don't run unknown javascripts (Score:5, Funny)
It's 2011, there should not be anything a Javascript can do that is harmful to your computer.
It's 2011, where's my damn flying car?
It's held up in pre-production until they can fix a persistent Javascript bug.
Re:web 101: don't run unknown javascripts (Score:4, Insightful)
I find it hard to understand why this whole article is a problem...
Re:web 101: don't run unknown javascripts (Score:4, Insightful)
Because browsers allow 3rd party Javascript to run as if it were 1st party. This makes advertisers happy.
I've been complaining about this for years, but so long as the new economy demands that browsers be supported through sponsorships and ads, security just won't become a priority.
Hell, reading a PDF can infect your PC with a virus? I've got a great idea... let's build a PDF reader right into the web browser, and for bonus point, you can't disable it. It's okay, we built a sandbox for it, and made JavaScript twice as fast for good measure. Oh, but we still won't include support for [insert FOSS codec of choice here] because it will make the browser too bloated.
Re: (Score:3)
Because the very act of surfing the web is - from a security perspective - probably one of the most stupid things to have happened in the whole of computer history.
And I'm not exaggerating.
The first thing anyone who gives a damn about IT security learns is "don't open any old random garbage". How important this rule is (and how easily it's forgotten) was first brought home with things like ILOVEYOU - and that was 11 years ago, FFS. As a result, mail systems have been getting ever more paranoid about accep
Re: (Score:2)
the best way to deal with the actual reality appears to be not running JS by default
And Homer Simpson once said...
...I'm the magical man, from Happy Land, who lives in a gumdrop house on Lolly Pop Lane!!!!
Frankly, those who take your view might as well simply run Lynx. Or skip surfing the web.
Re:web 101: don't run unknown javascripts (Score:5, Insightful)
I tried running with Javascript disabled. Five years ago you could get away with it. Now so many sites, especially with jQuery being so pervasive, simply don't work with JS disabled or you get an ugly broken thing.
I hear the claim, "Well you can run it on trusted sites". What has the site done to earn my trust? Why couldn't a malicious site appear interesting enough to prompt you to turn JS on and thus be attacked. Only a little social engineering can defeat NoScript. Whitelisted sites can become compromised as well.
Re: (Score:2)
Only a little social engineering can defeat NoScript. Whitelisted sites can become compromised as well.
But your whitelisted sites -should- have a decreased chance of being compromised and infected. Thus it is safer than allowing everything, and more functional than blocking everything.
Honestly I can't understand people who act as if NoScript is a huge security risk or the devil when most people, including myself, would choose "allow all javascripts" if their only options were all or nothing.
Re: (Score:2)
Re: (Score:2)
If it means you don't see some dancing walrus but your machine doesn't end up with a keylogger sending your bank password to Nigeria, that's probably an OK tradeoff for most people.
Sadly, I don't think you know 'most people'.
Re:web 101: don't run unknown javascripts (Score:4, Insightful)
You have to run them (Score:2)
"By 2011, it should be considered "web 101" to not run javascripts unless you have a reason TO run them. "
I tried the noscript crap for a moment, every single page has tons of javascript, most of them don't work if its disabled. Its possibly you just browse to your homepage made in notepad, but for the rest of the world YOU MUST HAVE JAVASCRIPT ON.
Re: (Score:3)
Try YesScript [mozilla.org]. You can blacklist sites that cause problems while letting the rest through without having to explicitly whitelist them.
Re: (Score:3)
Try YesScript [mozilla.org]. You can blacklist sites that cause problems while letting the rest through without having to explicitly whitelist them.
Great idea. Then I can blacklist www.thissiteissafehonest.com _AFTER_ it's used Javashit to download malware to my computer.
Disabling Javashit by default is the only safe way to browse the web these days.
Web 101: Google don't fuckin work without js (Score:2)
That's the problem. They had a GREAT web search page but then had to fuck it up with IFRAMES (web security 101: IFRAMES are not made for use outside a corporate firewall) and eight layers of javascript. I use google image search a LOT and the solution ultimately came down to me carving out a command line google grabber as a means to avoid all their bullshit.
gggrabber -a -s xga +its+britney+bitch|wget -i -
It sucks not having instant real time update on search terms, but it's a lot less dangerous to sort thro
Re: (Score:2)
Make use of Firefox's Prefbar. That has simple check boxes that you can click on when you need Javascript and Flash enabled. Otherwise, keep them turned off until needed.
Re: (Score:2)
Re: (Score:3)
Re:web 101: don't run unknown javascripts (Score:5)
Even if the defaults are reversed, what is grandma going to do, vet the JS code for every script that wants to run?
This is Slashdot - our posts are meant to demonstrate how 1337 we are, not an understanding of how the world actually works.
So... (Score:3)
Can we scrap the entire js system now and rebuild it from scratch so it stays inside a fucking sandbox this time?
Re: (Score:3)
Ummm... Isn't specifying what actions a script can perform the definition of a sandbox?
accessing the filesystem, launching popup windows, transmitting content outside of the original domain, redirection, cookies, etc.
These are all permissions that should be codified by the scripting engine's security manager and configurable by the end-user on a site-by-site option.
Re: (Score:2)
Use an alternative search. (Score:4, Insightful)
At this point, I feel SEO poisoning is so bad on Google that I find myself using other search engines more since they don't seem to be as big of a target.
Altavista, Ask and Bing have just been giving me more relevant search results lately. Google seems to like to show more SEO sites, forum reposters that just repost the same forum entries over and over and "Meta Search" sites such as software informer and alibaba.
Image search Rogueware poisoning is yet another reason to start looking somewhere else for search results.
Re:Use an alternative search. (Score:4, Interesting)
Altavista, Ask and Bing have just been giving me more relevant search results lately.
Somewhat interestingly, and wildly offtopic, Altavista is powered by Yahoo, and Yahoo is powered by Bing, so you are really only using at most 2 search engines. (Ask also outsources to someone, but they don't say who, so it may very well be M!r0$0f+ as well).
Re:Use an alternative search. (Score:5, Funny)
Altavista, Ask and Bing have just been giving me more relevant search results lately.
Somewhat interestingly, and wildly offtopic, Altavista is powered by Yahoo, and Yahoo is powered by Bing, so you are really only using at most 2 search engines. (Ask also outsources to someone, but they don't say who, so it may very well be M!r0$0f+ as well).
And Microsoft copies Google's search results so in the end everyone is just using Google!
Re: (Score:2)
Image search Rogueware poisoning is yet another reason to start looking somewhere else for search results.
CORRECT. The more people stop using Google, the better their search will get -- They surely prioritize things; If everyone is displeased but keeps using their product out of habit then it's not as big of a priority. If they start losing lots of visitors over it then it will get fixed.
screenshots (Score:5, Informative)
Two weeks ago I put some screenshots of what it looks like on my blog:
http://cobbaut.blogspot.com/ [blogspot.com]
Re: (Score:2)
I saw that particular trick when someone at my office ran into it about a year and a half ago. I realized what it was (they thought it was real) so I decided to try an experiment...
I pulled up the address on my iPhone and got the same thing. It looks really neat to see an iPhone show Windows Explorer and run a fake virus scan.
I was very impressed though. It's a quite convincing simulation, much better than the old generic "Your computer has a virus" image pop-ups with flashing text.
Re: (Score:2)
and had your phone been an n900, it might have actually gone on and gotten installed!
Re:screenshots (Score:4, Interesting)
I've seen it. It detects Chrome and puts up a fake Chrome screen.
The problem is that the dialog is modal and steals focus from Chrome. You can't simply close the tab. So you click, it does its "scan" and gives a heads-I-win-tails-you-lose dialog and you click that and you wind up downloading a windows executable, and that's when Chrome finally steps in and says "hey, this is an executable file, do you really want this?" and that's the only place you can say no-thanks.
The only other solution is to force-kill (kill -9) the entire Chrome window at the start.
Chrome should allow you to close a tab and anything else attached to it, at any time. The current situation is unacceptable from a user's POV.
I did this in Linux, but having wine installed means that this could be a vector for malware in Linux, too, with a little more work.
inb4 "but no malware writer cares about linux" and "hurr, wineserver is a user process, so it makes no sense to have autorun malware as a user" (as if anyone ever checks his .bashrc or .profile). The only thing I see as a barrier to this foolishness is the relative intelligence of your average Linux guy (me) versus the typical Windows user in deciding not to run something thrust at the browser for download from a bad website.
--
BMO
Re: (Score:2)
Chrome should allow you to close a tab and anything else attached to it, at any time. The current situation is unacceptable from a user's POV.
Chrome? Can't you use the Shift-Esc built in Chrome task manager and kill the window?
Re: (Score:2)
What ordinary user knows about the Chrome task manager?
Remember that I'm trying to look at it from a "joe user" perspective, not an expert's perspective. Granted I said "kill -9" there but that was to illustrate the point that an ordinary user has no way to really back out once the script has started to operate, and that starts as soon as the person navigates to the page.
--
BMO.
Re: (Score:3)
Chrome should allow you to close a tab and anything else attached to it, at any time. The current situation is unacceptable from a user's POV.
Chrome? Can't you use the Shift-Esc built in Chrome task manager and kill the window?
Actually, I just tried (Chrome on a Mac), and I couldn't kill the window through the Chrome Task Manager. Nothing I tried work: I either had to force-quit the browser or just click "OK" and let it run through the fake scan and download the .exe. I'm annoyed that Chrome doesn't seem to provide a way to block javascript hijacking (other than disabling javascript entirely or through explicit whitelists/blacklists). I don't EVER want a web page to be able to disable my right-click, back button, history, view pa
Re: (Score:3)
I let it complete downloading, the zip file contains a Mac application called MacProtector and it fires up an installer immediately.
In other words, it's started. Mac users can't be complacent any more.
Re: (Score:3)
Replying to myself, but I pushed the file through VirusTotal (which runs suspect files through a whole host of AV engines). Somewhat depressingly, most of them didn't catch it.
The results are here [virustotal.com] if anyone's interested.
So... (Score:2)
Since they're detecting Google, Bing is safe? Wouldn't Bing pretty much slurp the same data while crawling and display pretty much the same result?
Violence is required (Score:5, Interesting)
The people who are doing this are criminals. They need to be stopped. It's as simple as that. Follow the money and beat the crap out of them until it stops.
a couple add ons that help (Score:5, Insightful)
If you haven't tried these, do it and be amazed at how many sites load without stylesheets, pictures etc. It's amazing how badly shit is implemented - zero thought about graceful degradation.
no script [noscript.net]
requestpolicy [requestpolicy.com]
Re: (Score:2)
I just run AdBlock Plus. The newer versions include anti-XSS. A guy can load Firefox with to many addons, after all.
Re:a couple add ons that help (Score:4, Insightful)
Re: (Score:3)
Which is really why companies need to be held accountable for exploits in their code rather than being allowed to require that somebody else pay for their incompetence. It worries me a great deal how many sites don't use https for log ins or insist upon not giving users a way of getting in without Flash.
I'm sure we'd see serious movement quickly if all of a sudden they were themselves responsible for their actions or inaction as the case may be.
Re: (Score:2)
Re: (Score:2)
If that's what you mean then I tend to agree. I always put noscript tags in place if there is functionality that wont work without JS, and I always test for cookie support and tell the user that cookies are required rather than breaking things, or at least they will know why things aren't working.
But still, for most companies, anything more than that just isn't worth the effort for the 2%. THere are a lot of huge sites that don't even do that, they just break. And I do mean huge...
Re: (Score:2)
Slashdot Promoting Plagiarism (Score:3)
Mac is vulnerable too (Score:5, Informative)
My wife got bitten by this just today.
She navigated to a web page from a Google search result, and Safari automatically downloaded some malware and executed it.
I didn't believe my wife's story at first, so I tried it. Sure enough, automatic download and execution on Mac/Safari.
What the fuck, Apple and Safari?
The only question that remains is whether I'll be moving her to Firefox or Chrome...
Re:Mac is vulnerable too (Score:4, Informative)
It did not download and execute, it downloaded and opend the installer. Your wife would have had to go clicking through a an installer, and provided her admin credentials, in order to have installed/run something.
While this is bad behavior, and will probably finally convince Apple that .pkg should not be on the list of auto-launched items, this is also not the "sky is falling" situation that your post makes it out to be.
Re:Mac is vulnerable too (Score:5, Insightful)
It did not download and execute, it downloaded and opend the installer. Your wife would have had to go clicking through a an installer, and provided her admin credentials, in order to have installed/run something.
Sorry, I'm not a Mac expert. All I know is that it automatically downloaded something, and automatically executed something. I'm not technically knowledgeable enough about OS X to know that, even though we immediately exited the malware installer, that nothing bad could possibly have happened.
And I'm still not convinced the malware installer didn't do something bad before it popped up its first GUI window. I'm not accusing you of being a liar, but my wife uses her Mac to access our bank accounts and such. I have no choice but to nuke the site from orbit (reinstall OS X). I'd like to trust that because someone on the Internet said I'm safe and not to worry about it, that I can just plain not worry about it, but I just can't take that risk.
At the end of the day, Apple/Safari's amazingly fucked up defaults burned us good and hard. It'll take me days to fully reload and reconfigure her machine.
Thanks, Apple...
Re:Mac is vulnerable too (Score:5, Interesting)
i've been on osx for about two years, and just yesterday had my first malware experience, .mpkg which had been downloaded to my desktop. .mpkg was "MacProtector.mpkg". unfortunately i rm -rf'd without making an archive of it.
which is pretty much identical to Teckla's: i was in safari and followed a GIS link for "blanket octopus"
and clicked on one of the pictures, and got a pop-up browser with some "security scan in progres.." BS dialog.
no big deal.
but then the OSX package installer opened up, trying to install some obvious malware
downloading a file without my permission is already a total security fail, imo, but running the installer on it is beyond bad.
obviously i nixed the installer and power-cycled and so far haven't noticed anything untoward, but it's scary.
the name of the
- google shows a few hits for that. so, in short, yeah, Teckla's experience matches mine.
Re: (Score:3)
Re: (Score:2)
yeah right, and guess what? ie and windows defaults also do not allow auto-installation of executables.
Re: (Score:3)
Isn't it disingenuous to criticize Apple for putting you into a situation that you have decided is unfalsifiably dangerous?
I did Google before I panicked too much. There is, so far, not a whole lot of confident sounding information on MacDefender / MacProtector.
If it was splattered all over the Internet that it's safe to cancel out of the installer and go on your merry way, that's probably what I would have done.
In any case, how can anyone seriously defend Apple for Safari defaults that automatically download something and run an installer?
Seriously, you have got to be kidding me. Apple fucked up bad on this one, and should be
Re: (Score:3)
It didn't. It was you who decided not to trust the system.
The fact that Safari will automatically download and execute installers may be technically safe -- just an annoyance, at worst -- but expecting users of OS X to know that OS X installers are 100% safe little furry friendly creatures that cannot possibly do any harm whatsoever to your computer is asking a bit much since installers work different on, well, every other OS in existence, in my (very broad) experience.
On other operating systems, installers are foreign code that can do all sorts of harm to the con
Re:Mac is vulnerable too (Score:5, Informative)
Turn off "Open Safe files after downloading" in Safari Preferences. (-_-)
Chrome is definitely faster, but doesn't have NoScript and uses more RAM.
Re: (Score:2)
What was the link? What was the malware?
I want to test this.
What happened? I am assuming it downloaded an actual executable Mac application - by default Safari *will not* open these without your express permission, and then the system will also ask you for certain filetypes downloaded from the internet whether you really want to run them - the metadata logs the originating site.
What *exactly* executed, and what was the result?
I would be interested to know what malware got past, and what her settings in Safa
Re:Mac is vulnerable too (Score:5, Informative)
What was the link? What was the malware?
I'm sorry to say I no longer have the link. I can tell you my wife was searching for something to the effect of "fairy wings" or "tinkerbell wings" with my young daughter, and that the link she ultimately clicked on was a .ms address. That might help you hunt down the same link, since this happened less than 8 hours ago.
What happened? I am assuming it downloaded an actual executable Mac application
I don't recall the exact thing it downloaded, but I recall it ended with .mpkg and was actually a directory I was able to navigate into using Terminal.
It automatically popped up some kind of installer for MacProtector, which is apparently malware (based on my Googling). I'm pretty good on Windows and Linux, but I know next to nothing about the Mac. I'm not aware of any really low level geekery details like "Mac installers are always 100% safe! Just cancel out of them!" or anything like that. I'm confident it didn't have root access, but even with just my wife's login credentials, my suspicion is that it could have done a lot of damage.
What *exactly* executed, and what was the result?
She clicked on a Google search result. The Downloads dialog box popped up. It downloaded something almost too quickly for the eye to see. Some kind of malware installer than displayed a GUI. It looked like the very first step of the installer. There was a Continue button.
I would be interested to know what malware got past, and what her settings in Safari were.
I'm sure her Safari settings were almost entirely set to their defaults. The Mac is supposed to be the "safe" computer. Or so we thought...
I'm sure the Slashdot crowd will come down hard on me over this. I fully expect my intelligence to be questioned and to be modded into oblivion. But really, I don't see how an average user should respond to this except to assume the worst and reinstall OS X.
And I really do blame Apple for setting absolutely bone headed defaults on Safari.
Re:Mac is vulnerable too (Score:4, Informative)
Re: (Score:3)
No, Safari won't execute a an .mpkg as standard - that's an installer file and would require other user interaction (clicking next etc) to step through, and your admin password if it was going to go outside your home folder at all. So if you don't fall for the social engineering you can stop it at that point.
It looks like it must be a trojan of some kind, but no different to any standard trojan: you have to have the user install it.
Re: (Score:2)
i had a very similar experience yesterday. was GISing in safari for "blanket octopus" and suddenly the osx installer was running. the offending file was also MacProtector.mpkg, which had been downloaded to the desktop.
Re: (Score:2)
It sounds like a trojan of some kind. By default (and Safari had the default options changed a few versions back - I can't remember if it was to be off by default or by on, mine is set to "off"), and while it will treat a zip file as ok to decompress and a disk image similarly (it will mount them with that checkbox on), the .mpkg is an installer package, rather than the trojan itself and as you saw you need to step through it manually (and provide admin password if it goes outside home) to get it to install
Re: (Score:2)
Not sure if this is what they ended up with, but see the blog post linked in this post [slashdot.org] that goes to it. Warning - Windows boxes are also very vulnerable to the same link.
Re: (Score:2)
i decided to be a little adventurous and opened the link on ie9/win7. brief glimpse of google image seacrh and then a 404 error.
Re: (Score:2)
So, they disabled the preference, but didn't remove it completely? I'm sorry, but that's just not responsible. There are some things which the user should have to do without help. If he wants to open the file, fine, but automatically opening random files that have been downloaded isn't something that should be allowed, with or without the users approval.
Only windows is attacked? (Score:2)
Mostly a WordPress / PHP problem (Score:2)
This isn't really a search problem. The problem is break-ins to vulnerable sites that replace site content with phony pages leading to attacks. Google is finding the phony pages and indexing them. Mostly it's a WordPress or PHP problem.
Bing sometimes plays dirty (Score:2)