A picture may be worth a thousand words, but a single tainted digital image may be worth thousands of dollars for computer crooks who are using weaknesses in Google’s Image Search to foist malicious software on unsuspecting surfers.

For several weeks, some readers have complained that clicking on Google Images search results directed them to Web pages that pushed rogue anti-virus scareware via misleading security alerts and warnings. On Wednesday, the SANS Internet Storm Center posted a blog entry saying they, too, were receiving reports of Google Image searches leading to fake anti-virus sites. According to SANS, the attackers have compromised an unknown number of sites with malicious scripts that create Web pages filled with the top search terms from Google Trends. The malicious scripts also fetch images from third-party sites and include them in the junk pages alongside the relevant search terms, so that the automatically generated Web page contains legitimate-looking content.

Google’s Image Search bots eventually will index this bogus content. If users are searching for words or phrases that rank high in the current top search terms, it is likely that thumbnails from these malicious pages will be displayed beside other legitimate results.

As SANS handler Bojan Zdrnja explains, the exploit happens when a user clicks on one of these tainted thumbnails. “This is where the ‘vulnerability’ is,” Zdrnja wrote. “The user’s browser will automatically send a request to the bad page which runs the attacker’s script. This script checks the request’s referrer field and if it contains Google (meaning this was a click on the results page in Google), the script displays a small JavaScript script…[that] causes the browser to be redirected to another site that is serving FakeAV. Google is doing a relatively good job removing (or at least marking) links leading to malware in normal searches, however, Google’s image search seem to be plagued with malicious links.”

Denis Sinegubko, a Russian malware researcher who has been studying the fake anti-virus campaigns, called this tactic “the most efficient black hat trick ever,” and said it is exceedingly easy to set up. He said he’s received access logs from the owners of several hacked sites, and has used the data to estimate the traffic Google sends to these bogus image search pages. Sinegubko reckons that there are more than 5,000 hacked sites, and that the average site has been injected with about 1,000 of these bogus pages. The average page receives a visitor from Google approximately every 10 days, he said, which means Google is referring about a half million visits to fake anti-virus sites every day, or about 15 million visits each month.

For example, one of the hacked sites Sinegubko said he saw access logs for was in Croatia; It had a Google page rank of zero prior to being compromised with the phony image search scripts. The logs showed that the site had been hacked on Mar. 18, 2011, and that Google began indexing the tainted image pages the next day. “During the next 5 weeks it has indexed 27,200+ doorway pages on this site,” he wrote in a blog post on his findings. “During the same 5 weeks Google Image search has sent 140,000+ visitors to this small site.”

Sinegubko is developing an add-on for Firefox that can flag malicious Google Image search results by placing a red box around images that appear to link to hostile sites; Images with a pale pink box around them are hot-linked and may also be malicious, Sinegubko said. I tested the add-on (which is not ready for public release) searching for the cover art for the album “Kaputt” by the Canadian band Destroyer. As you can see from the image above, most of the images returned link to sites pushing fake anti-virus.

Sinegubko said his analysis of the malicious scripts that do all of the work indicates that the spammy pages are built when Google’s bots try to index them. Each bogus page targets specific keywords, in this case, the word “destroyer.” The script then requests Google’s autocomplete results for the word “destroyer,” and it is given 10 suggested keywords. The script then includes those new keywords in the spammy pages as links to “related searches” (for example, links to “23.php?q=destroyer-droid-start-wars”, and the results in the image above, “23.php?q=destroyer-kaputt-album-cover”. “When Googlebot follows those links, the script generates spammy pages for them, at the same time it inserts links to new suggested searches,” the researcher said in an instant message chat with KrebsOnSecurity. “This way Google suggests new keywords for spammy pages and automatically builds spam and indexes it.”

Several security experts have suggested specific steps that Google could take to cut down on scammers using Google Images, such as bumping sites that hot-link images to a much lower ranking in the search results for a given term.

Google spokesman Jay Nancarrow said the company was aware of the attacks and that it is making “active efforts to improve both the quality of the results and malware detection,” but declined to be more specific. “We’re improving, as are the people trying to put users at risk, and in the interests of those users it’s best if we don’t reveal everything that we’re doing about this.”

Rogue anti-virus scams almost invariably rely on malicious scripts that can be blocked by the excellent Noscript add-on for Firefox, which lets you decide which sites should be allowed to run scripts. If you happen to stumble upon one of these fake anti-virus security alerts, stay calm and avoid the urge to click your way out of it. Instead, simply hit Ctrl-Alt-Delete, select the browser process you are using (firefox.exe, iexplore.exe, etc.) and shut it down.

Tags: Bojan Zdrnja, Denis Sinegubko, Google Image search hack, Google page rank, Kaputt, sans internet storm center