July 19, 2011

Google today began warning more than a million Internet users that their computers are infected with a malicious program that hijacks search results and tries to scare users into purchasing fake antivirus software.

Google security engineer Damian Menscher said he discovered the monster network of hacked machines while conducting routine maintenance at a Google data center. Menscher said when Google takes a data center off-line, search traffic directed to that center is temporarily stopped. Unexpectedly, Menscher found that a data center recently taken off-line was still receiving thousands of requests per second.

Screenshot of the image Google is displaying to notify users of infected PCs.

Menscher dug further and discovered the source of the traffic: more than a million Microsoft Windows machines were infected with a strain of malware designed to hijack results when users search for keywords at Google.com and other major search engines. Ironically, the traffic wasn’t search traffic at all: The malware instructed host PCs to periodically ping a specific Google Internet address to check whether the systems were online.

Menscher said the malware apparently arrives on victim desktops as fake antivirus or “scareware” programs that use misleading warnings about security threats to trick people into purchasing worthless security software. He suspects that the fake AV program either ships with or later downloads the search hijacker component.

The malware intercepts traffic destined for high profile domains like google.com, yahoo.com and bing.com, and routes it through intermediate hosts or “proxies” controlled by the attackers. The proxies are used to modify the search results that a victim sees for any given search term, and to redirect traffic to pay-per-click schemes that pay for traffic to specific Web sites.

Fortunately, the traffic generated by the malware has a unique “signature” that Google is able to use to alert victims. Google is placing a prominent notification at the top of victims’ Google search results; it includes links to resources to help remove the infection.

Google should be applauded for alerting users, but the hard work will be in the cleanup: Search hijackers are notorious for blocking users from visiting antivirus Web sites or other popular sources of malware removal tools.

84 thoughts on “Google: Your Computer Appears to Be Infected

  1. Terry Ritter

    I wonder if the Google bot warning could be more of an advertising opportunity than a security announcement.

    Google may have realized that they are able to identify the ideal target group for (some) security software. Presumably, they could charge dearly for such ideal placement. And since when does a publisher really care about the content of paid ads?

    1. Phoenis

      I don’t think so. More likely they were concerned about automated junk eating away at their resources. But either way I think it was pretty much self serving.

    2. AlphaCentauri

      Google’s brand is being diminished by malware served through their image search product, through botnets and open proxies used to register spam accounts on gmail and Google Groups, and soon, through malicious accounts on Google+. And they’re spending a lot of resources providing spam filtering of the quality we’ve come to expect from gmail.

      Yes, they have a dog in this fight — but so do we all.

  2. Seth

    Is there a name for this malware family, or maybe some example MD5s?

  3. Lauren

    It’s great that Google’s trying to help, but I think I’d be just as leery of Google offering “help.” Microsoft seems like a safe option & that’s where the malware is coming from…..hmmm.

Comments are closed.