Google Image Results Hijacked by Fake AntiVirus Malware

Last month I blogged about auto-generated content farms and the methods I have been using to shut them down.  During the past month these spam sites have been busy spreading throughout the internet creating more garbage for me to sift through every time I try to search for something.

I’ve also seen a huge increase in content farms hot linking to images on my blog.  I have continued to report the hacked sites to web hosts and many of them have been shut down, but its not enough to solve the problem.

I decided to do some research on the content farms and try to determine what exactly their purpose was.  After a few searches I learned that I was not the only person to notice this growing problem.

I came across a recently posted blog entry by Russian malware researcher Denis Sinegubko.  Denis has unraveled the entire scheme behind this problem and he goes into deep technical detail about how the exploit works.

I highly recommend reading through his blog entry for a full explanation of what this problem is all about and how it works.

It’s all about the money

Essentially the black hats have discovered a simple, yet very sophisticated method to fill the Google image search results with links to sites containing fake antivirus malware.

The fake AV software tricks unknowing users into buying the fake software.

Here is a very simplified walk through of the exploit

  1. Black hats use malware to steal FTP credentials for a web server
  2. A malicious php script is uploaded to the compromised server
  3. GoogleBot discovers the malicious script which generates keyword optimized content on the fly
  4. Using black hat SEO tricks the compromised sites end up in the Google image results
  5. Unsuspecting users click on the malicous Google image result which sends them to a fake AV site

Example of Malware in Google Images

After reading through Denis’s post I decided to do some testing on his findings. I found this particular example in my web server logs today.

In the screenshot below you can see what one of these pages looks like.  Up top is a bunch of keyword spam the script generated from top Google searches.  If you were to scroll down on the page you would see hundreds of images all hotlinked from other sites that relate to the keywords the page is targeting.












I took the first keyword phrase from the example page “pfsense ftp connection refused” and did a search on Google images for it.  The first result which I’ve highlighted in red happens to link to one of the compromised web servers.

Hijacked Google Image Results











Below is what happens when you click on a compromised link.  (I don’t recommend trying this)  Instead of taking you to the image you wanted to see the malicious script redirects you to a page that tries to install malware on your PC.

Malware Attack from Google Images











As you can imagine by ranking in the top search results in Google Images for thousands of different keyword phrases these malware infested sites are getting a ton of traffic!

In his post Denis talks about some of his suggestions for resolving this issue.  One of his suggestions is that Google should give preference to sites that host images instead of promoting sites with hot linked content.

I agree that Google needs to make some big changes on their part instead of promoting malware in their search results.  In addition to changes on Google’s part I think that webmasters and hosts need to keep a closer eye on their web properties to make sure they are not becoming infected with malware.

Please do yourself and the internet a favor by scanning your workstations and servers for malware.  If you have a web site you should check your server logs for activity that could indicate your site has been hacked.

Sam Kear

Sam graduated from the University of Missouri - Kansas City with a bachelors degree in Information Technology. Currently he works as a network analyst for an algorithmic trading firm. Sam enjoys the challenge of troubleshooting complex problems and is constantly experimenting with new technologies.

11 thoughts to “Google Image Results Hijacked by Fake AntiVirus Malware”

    1. I’m glad I’m not the only one annoyed by this! It’s pretty sad that we can’t even trust Google images to be safe these days.

      It’s hard enough trying to train people which links are safe to click and which ones lead to spyware but these are very hard to catch.

  1. This very exploit happened to someone at work who’s husband uses his laptop for his business. It is exactly what happened – He told me he was on Google looking for a picture and the next thing he had Internet Security 2011 installed – This piece of malware/virus is the worst! It re-writes the permissions on files and takes control of all .exe files on a windows system. A nasty business to clean out.

    Thanks for the article and it sheds some light on this new process. I also agree with you about Google and don’t know what they can do but only hope they are addressing this new technique that spreads malware.


    1. Hey H. , thanks for stopping by to comment!

      It seems like malware is popping up everywhere lately. You wouldn’t expect that searching on Google images would be anything to worry about.

      You’re absolutely right, it can be a nightmare to clean up after these get installed in your system. Malware apps can change/add many files and registry keys making it difficult to undue all the changes.

      It seems like we are always one step behind the malware writers.

  2. I’m running linux and I get redirected to these malware sites at least 6 or 7 times for every image search I make. As annoying as it is, it’s kind of funny to see a page pop up telling me that it’s scanning my c drive!

    1. LOL, yet another reason we should all switch to Linux! Even if the malware writers followed the security holes would be patched much faster. The open source community is quick to deal with change.

  3. This’ll sound horribly naïve of me considering I’ve been lurking around computers and the net for a decade, however, at which point do you realize it has successfully installed after being directed to a page like that? I have run into these pages several times, at least once a week (Which should teach me to stop searching for images), but I can only recall one time where my pc was actually infected with this fake antivirus. At that point, the infected computer was in line fore retirement anyway. Now I worry about my new computer. Any signs or symptoms to keep an eye out for? Also, is there a recommended way to exit from these screens?

    1. Sometimes it can be hard to tell if the malware actually succeeded in delivering it’s payload to your computer. You’re absolutely right that just visiting a spyware page doesn’t mean your pc is infected.

      I recommend running regular scans with a good spyware detection app like Malarebytes ( to make sure your computer is clean.

      Some tell tale signs of an infection
      – Random popups
      – Odd icon’s or bubble messages in the system tray
      – Slower than usual performance

      Closing the browser by clicking the X is usually the safest method, but ending the program with task manager is even better.

  4. All you have to do is prevent your images from being hotlinked displaying an alternate image instead that says something like “THIS IMAGE IS STOLEN FROM SAKEAR.COM”. If you have RSS you limit the sites that can hotlink your images to a handfull, like yahoo mail, gmail, hotmail, etc. You can do this in your Robots.txt file, it is very simple, just do your research.

    1. Hey Jim, thanks for stopping by to comment.

      You bring up a method that can be very effective in many situations for stopping hot linkers.

      The bots don’t seem to be smart enough to care and it’s a great way to get some free advertising for your web site!

  5. The internet is a sewer. The guy up there is right. It is all about the money. The absolute worst security risk on the planet is Microsoft Windows. It’s an operating system ffs. lol. If you have a Windows XP SP4 opsys or above yer screwed. Take a look at your registry. I bet there’s 5 million entries in it. That’s a new box. If your box is a year old there’s likely more than 30 million. You have no idea what these entries do and you never will, not unless you’re a Microsoft engineer with access to the Microsoft analytical software.

    If you’re a programmer or a web developer you need think very seriously about what I’m about to say here. First, I’m an attorney so I know how to read contracts. Now, think about this. The license agreements Microsoft and Adobe software products, and many others, all contain language in them, which you agree to when you run the program, that gives them a legal right to install software that searches your computer’s data storage devices ( i.e. hard disks, optical drives, etc…) for pirated software. The programs these corporations use for this purpose is capable of reading EVERYTHING stored on your computer, including any software that you are developing. These corporations are in the business of selling software. They would love to steal your work, and they do, because software engineers get paid, you don’t. There is nothing you can you can do about it if you do get robbed (legally) because you agreed to allow them to access your computer to search for, ironically, pirated software, when you first used their software. I was robbed. A video system. Microsoft stole it and integrated into XP. I never would have known that they stole my software if they hadn’t stolen the name too. They copyrighted it and sued me for copyright infringement. They lost the suit because I had better lawyers. I knew that the software was mine. Every programmer recognizes his own work, if he’s looking for it. I was never able to prove it however, even though I had the source code, because the court could not order Microsoft to produce their copy of the source code for comparison.

    Because, 10 years ago the U.S. Department of Justice charged Microsoft Corporation with a number of violations under provisions of the Sherman Anti Trust Act. William Gates was named as a co-conspirator in the complaint. During pre-trial discovery proceedings in the U.S. District Court, Federal Prosecutors served Microsoft with a request for production, seeking a transcript of the source code for Microsoft Windows XP. Gates refused to produce the sources. The Assistant U.S. Attorney who prosecuted the case didn’t bother to move for an order to compel production. Instead, he threatened to file criminal charges against Gates, under provisions of of the Homeland Security Act. Gates may be one of the richest men in the world but under the Act, the Department of Homeland Security could have seized all of his assets, including Microsoft Corporation and all of the outstanding shares in Microsoft held by people other than Gates. ( Heil Hitler ) Gates relented (wisely) and the parties reached an agreement. Gates agreed to turn over the sources for XP and all future Microsoft computer operating, and in exchange, the United States gave Microsoft corporation perpetual immunity from civil discovery. That means, no court in the U.S. can ever order Microsoft to produce source code for ANY software they steal or develop. Homeland Security acquired the ability to watch us and Microsoft became immune civil suits. If you’re a programmer be careful. And keep your powder dry….

Leave a Reply

Your email address will not be published. Required fields are marked *