Google Image Searches for "Raoul Moat" have been poisoned

If you�ve been keeping an eye on the news you�ll probably be aware of a chap called Raoul Moat. If not, all you need to know is that he�s popping up in articles with titles such as �Timeline of a gun rampage� � and there are more armed police walking around than you can shake a very large stick at.

They still haven�t found him, mind, but let's move on to the security angle in all of this.

It seems our favourite friends the Blackhat SEO Poison Brigade are out in force, utterly trashing the Image Search results and filling them up with dubious links.

These are the very top entries from a basic search on �Raoul Moat� in Google Images:


Click to Enlarge

At time of writing, ALL of the image searches from the top line of Google Image Search will redirect you to serveradobe(dot)co(dot)cc. As you�ve probably guessed from the name, you�ll get a fake Flash �install this� prompt from the website in question, followed by an attempted download of a file called V11_adobe_flash.exe:


Click to Enlarge

Here�s the VirusTotal result for this one - currently a bit low, with 11/41 detecting it. We�re still examining the file, but a fake antivirus or similar shenanigans look likely.

We detect this as VirTool.Win32.Obfuscator.hg!b (v).

Christopher Boyd