July 19, 2011

Google today began warning more than a million Internet users that their computers are infected with a malicious program that hijacks search results and tries to scare users into purchasing fake antivirus software.

Google security engineer Damian Menscher said he discovered the monster network of hacked machines while conducting routine maintenance at a Google data center. Menscher said when Google takes a data center off-line, search traffic directed to that center is temporarily stopped. Unexpectedly, Menscher found that a data center recently taken off-line was still receiving thousands of requests per second.

Screenshot of the image Google is displaying to notify users of infected PCs.

Menscher dug further and discovered the source of the traffic: more than a million Microsoft Windows machines were infected with a strain of malware designed to hijack results when users search for keywords at Google.com and other major search engines. Ironically, the traffic wasn’t search traffic at all: The malware instructed host PCs to periodically ping a specific Google Internet address to check whether the systems were online.

Menscher said the malware apparently arrives on victim desktops as fake antivirus or “scareware” programs that use misleading warnings about security threats to trick people into purchasing worthless security software. He suspects that the fake AV program either ships with or later downloads the search hijacker component.

The malware intercepts traffic destined for high profile domains like google.com, yahoo.com and bing.com, and routes it through intermediate hosts or “proxies” controlled by the attackers. The proxies are used to modify the search results that a victim sees for any given search term, and to redirect traffic to pay-per-click schemes that pay for traffic to specific Web sites.

Fortunately, the traffic generated by the malware has a unique “signature” that Google is able to use to alert victims. Google is placing a prominent notification at the top of victims’ Google search results; it includes links to resources to help remove the infection.

Google should be applauded for alerting users, but the hard work will be in the cleanup: Search hijackers are notorious for blocking users from visiting antivirus Web sites or other popular sources of malware removal tools.


84 thoughts on “Google: Your Computer Appears to Be Infected

  1. Pete

    Okay, so let me get this straight. I’ve been spending the last several years telling people the same thing: If a website tells you “your computer is/may be infected with a virus,” then you should ignore it.

    This sort of thing might be the biggest real threat to security in the world today: user confusion.

    Banks tell us they’ll never ask for our password, yet they ask for our password every time we want to log in. They say they’ll never send us important notifications via email — until they do. And now security-conscious folks — who have been telling people for years to ignore warnings like this — are all the sudden creating them!

    I can’t blame users for being confused and scared of their computers. Because we intentionally make the experience confusing by constantly changing the rules of the game!

    1. Pete

      Sorry, my comment was a little confusing because I got sidetracked halfway through writing it.

      The point is that we’re confusing users with this sort of thing. A banner that claims “you are infected” is exactly the kind of thing I would tell users NEVER to click.

      This sort of behavior simply confuses users. We shouldn’t encourage it. We should condemn it. This was the WRONG thing for Google to do and they should know better.

    2. Bart

      I think, rather, that banks say they will never ask for your account information in an email. It doesn’t make sense for them not to ask for a password for on-line banking.

      1. Pete

        Actually, it does make sense. We just haven’t gotten around to implementing the technology yet. Banks and other secure facilities should be using public key cryptography so that they never do actually ask for your secure information.

        I applaud Mozilla for working on ways to make this practical:

        http://tech2.in.com/news/web-services/mozilla-streamlines-passwords-rolls-out-browserid/230932

        We came up with an interesting, but ultimately over-complicated approach this spring:

        http://www.incredulicio.us

        Mozilla solves our most challenging problem (storing the user’s private key securely and permanently) by integrating support directly into the browser. However, they solve our second most challenging problem (lost keys) by simply assuming your email account is secure. Which is probably not a great idea. But it might be worth it to help people with the transition to a PKI-based authentication system.

        Siome day banks will be able to legitimately tell users never to share their authentication information with anyone — including the bank!

        1. Terry Ritter

          @Pete: “Banks and other secure facilities should be using public key cryptography so that they never do actually ask for your secure information.”

          Somebody has not been paying attention: Bots DEFEAT authentication, including public-key certificates and external 1-time 2-factor dongles (and even SMS confirmation, with a smart-phone bot). The authentication works, but the bots win anyway.

          Bots win because they control communication through the customer computer. At the moment the user provides authentication–in whatever form–the account is open and the bot can use it. We could imagine a tiny bot herder actually being inside the customer computer and using the now-open account. Improved cryptography cannot solve this, because the cryptography is working: it is the computing system which is defeated.

          The problem is the bot. The solution is to not have a bot. But bots are very good at hiding, and scans are unlikely to find them. Since computer hardware and software manufacturers do not provide a way for users to certify their computer as bot-free, there should be no surprise that we have a widespread bot problem.

          “Mozilla solves our most challenging problem (storing the user’s private key securely and permanently) by integrating support directly into the browser.”

          I have seen a lot of claims come and go, and, as usual, it will take several years of analysis and experience to believe this one. It is way too early to declare success.

          Sadly, there is a long history of actual experience with the weakness of the browser with respect to key secrecy. For example (from my 2009 article):

          “In 2009, researchers were able to hijack the Torpig botnet for analysis:

          “It is also interesting to observe that 38% of the credentials stolen by Torpig were obtained from the password manager of browsers, rather than by intercepting an actual login session. (Sect. 6.1) “”

          For now, LastPass seems a better alternative.

          1. Marcustech

            “The problem is the bot. The solution is to not have a bot. But bots are very good at hiding, and scans are unlikely to find them. Since computer hardware and software manufacturers do not provide a way for users to certify their computer as bot-free, there should be no surprise that we have a widespread bot problem.”

            As I understand it this is the alleged goal of Trusted Computing – the hardware verifies the bios, bootloader and OS are trusted ie bot free. There’s just no-one really pushing for it and consumers don’t understand it.

            1. Clive Robinson

              @ Marcustech,

              Whilst the various trusted platforms are an improvment they are by no means the “be all or end all” of bots.

              For instance how does the OS know the BIOS is not infected?

              The answer is it cann’t tell, it can only check to see if sombody else has said it’s ok via a hash or signed hash.

              As I’ve been saying for a long time and Stuxnet went on to prove code signing is only as good as the security of the private key, and the development process behind it.

              And as we know from past experiance malicious code has made it into even MicroSoft’s code base up stream of the release system (of which code signing is the last stage). Likewise somebody got into Apples’s supply chain and customers received a nice new shiney device with the malware pre installed.

              We have also seen lack of private key control result in fake certificates being issued.

              Security is hard enough when dealing with just those motivated by ego, but when also motivated by crime it is very very hard.

              At the end of the day it can be shown in various ways it is not possible for a computer to recognize if it has malware on it or not, partly because it’s been proved mathmaticaly some time prior to the first electronic computers, but also with smart phones it is actually not possible to verify the actual chip has not been tampered with…

              It is this latter aspect that is getting quite a few people in the various “cyber-command” posts “panties in a wad” with regards the very very high volume of chip production that is known to fall well within the sphear of influence of the Chinese (to name but one APT suspect).

          2. Pete

            I agree that PKI can never replace user-vigilance. It just makes that vigilance much easier. My comments regarding how PKI can help simplify user security actually refer to another, similar common problem: phishing.

            Banks always tell us they will never ask for our password. But then they ask for our password every time we log in. Therefore, it’s easy for attackers to trick people into giving out their password by just faking the bank’s login page. If they do a good job at emulating the bank’s login page, then users will happily enter their data right into the fields provided.

            By removing the username and password fields from the web content area, it makes it much easier to instruct users on how to manage their credentials. Simply put: Never enter your credentials into a web page. It’s much easier than saying, “never enter your credentials into a webpage unless that page happens to be the page you’re looking to log into and not a cleverly disguised fake.”

            Anyway, you’re right. A bot that owns your machine owns the credentials you store on that machine. Once the machine is compromised, you’re pretty much done. And that’s a problem I have not yet seen any solutions to. But the PKI-based system does actually offer something in the way of solutions. If each machine makes use of a different private key to log into your account (rather than a single private key), then you can easily invalidate a single machine’s credentials without having to run around and change all your passwords. It won’t even affect un-compromised machines’ ability to access your accounts.

            Furthermore, using PKI for credentials means you NEVER have to send private credential information to other folks. Meaning you can use the same private key for every website you visit on a given computer and even if 95% of those sites are 100% compromised by LulzSec, they can’t use the data they pull to get into the other 5 percent.

            PKI is a far superior system than password-based authentication. It’s just not very user-friendly in its native format. So we should be look at ways to make PKI useable for the common user. I think BrowserID does a great job at taking a big step in the right direction. I think there are some inherent problems with it. but it’s a big increase over what we have now and it’s very user-friendly. Which is key.

            1. Clive Robinson

              @ Pete,

              PKI has a lot of technical issues as all “key managment systems” have.

              However there is a human asspect as well that most technical people developing PKI solutions don’t appear “to get”.

              Although a human is generally an individual organisum, we all have multiple roles bet it son/daughter, father/mother, worker/manager etc etc.

              Now the problem is that a “single key” solution (which every system I’ve looked at so far is) means that you as an individual are fully traceable back to your single private key.

              What is needed is not an “individual” based key, but “role” based keys.

              That is each role in a persons life has an individual key compleatly unrelated to any other of their keys, in the same way people have multiple credit cards from different and unrelated issuers.

              Unless web browsers and the like have this properly built in PKI will only result in a compleate loss of privacy in the long run.

              Oh and don’t be upset if you didn’t “get it” prior to me saying it, most security experts don’t “get it” untill you explain it to them.

              Another human aspect of PKI which is a big fail is authenticating the individual back to a traceable document like their birth certificate. This very very stupid idea is one pushed by the likes of those pushing National ID cards.

              Humans don’t work like that only oppressive entities such as those aiming to have unilateral control of individuals, in what were once called “Police States”.

              At the human level we work “by reputation”, that is we gain trust over time by behaving in an appropriate manner.

              But again as humans we make the mistake of saying “we trust john smith” not “we trust ID X in this role”, which is what we should do.

              For instance posting to a blog, the blog owner does not care if you are a klingon a dog or sweet little old lady in Ohio. What the blog admin cares about is your reputation as a poster to their blog.

              So if I decide I want to post under a pseudonym I create a PK pair and sign my posts with it. The blog owner vets all unknown comments and those signed by unknown keys. However over time the blog owner can see that signing key X is trustworthy and alow any comment signed under that key to get posted directly without moderation. If the person using that key abuses the trust then the blog owner simply revokes any rights pertaining to the key.

              This sort of system alows individuals to remain anonymous but also develop a “trusted role” as “anonymous” key X attached to the unknown persons role as a poster to that blog.

              1. Pete

                I think you should check out NSTIC:

                http://www.nist.gov/nstic/

                It is looking to do exactly what you’re looking for: establish an ecosystem of role-based credential verification that helps preserve privacy by limiting shared information only to the attributes required for the given transaction.

                To give a good example, let’s say you want to purchase some pornography. In most jurisdictions, you must be 18 to do so. So you need to prove to the seller that you’re 18. Generally, this can only be done by showing your driver’s license. This tells the seller your name, complete birthdate, home address, driving eligibility, height, weight, eye color, and even organ donor status! All just to prove you’re 18.

                Wouldn’t it be great if there was a system in place that would allow you to verify you are over 18 without giving any other information to the seller? That’s what the NSTIC hopes to offer.

                When the plan was first unveiled, there was a lot of outcry by privacy advocates (EFF, DemandProgress, etc) for some really strange reason. Probably because it came from the Department of Homeland Security. But if you actually bother to read their plan and their proposed system, it’s actually exactly what you were looking for.

          3. Matthew Sheeran

            You are perfectly correct and for reasons of computability/decidability it is a cat and mouse game that can never be won. So there is no ultimate answer or solution but there is however a mitigating approach: VM containers with the simplest possible APIs and firewalls between etc. etc.

            Qubes OS http://qubes-os.org takes this approach and they are to be commended for it. In the futre – several versions down the track and probably on my next h/w – I would like to run my regular insecure Operating Systems like Windows, OS/X and even Linux as hosted VMs under Qubes OS.

            Enjoy 🙂

            1. bleu

              We’ve allready seen this kind of thing in action-isn’t it exactly how Android works? Dalvik is light VM, apps don’t interact with each other and rather with system. And still, someone made trojans for that.
              What’s more, it’s not the encryption, authorization or credientials provider itself, who’s responsible for this. The weak link in chain is the user himself. This is far beyond any possible hardware-based solution to provide completely fool-proof systems.

              1. Terry Ritter

                @bleu: “What’s more, it’s not the encryption, authorization or credientials provider itself, who’s responsible for this. The weak link in chain is the user himself. This is far beyond any possible hardware-based solution to provide completely fool-proof systems.”

                But even the best users eventually will make a mistake. If we really think that hardware cannot help, we are forced to base more ordinary operations in user decisions, an increasing portion of which we know eventually will be bad.

                The real problem is that our hard-drive-based systems can be infected and so not start out clean on each session. If our systems started out clean, we could just start a new session and then just not do anything hinky (and so not catch a new bot) before we do our banking. We can approach that now with an OS boot CD / DVD.

                Alternately, if we just knew when we had a bot, we would know not to use that machine. But that knowledge simply is not available.

                In the context of PC’s, the main problem is bots, but, surprisingly, not the bot itself. The problem is that the bot keeps coming back on each new session because of infection. When a single bot infection can create hundreds of sessions of bot-running, the infection is the problem, and infection can be (almost!) eliminated with appropriate hardware.

                The problem is to prevent a running bot from infecting the next session run-up. To infect a system, a running bot must change some code which will be executed in the next run-up. We can prevent infection by preventing the bot from changing run-up code or data. We effectively have this now when we boot from CD / DVD.

                Run-up data could be protected by independent hardware to prevent bot changes to run-up code and data. The OS cannot do this because the bot has already taken over the OS and with it every software protection mechanism. An appropriate place for the new hardware protection might be inside the boot drive, where the drive controller can deny writes to the run-up area.

                We cannot depend on human control if it is important to minimize error. A great deal of security improvement can be had without human control.

    3. drzauisapelord

      The problem is that we are always badgering and abusing end users.

      The real problem with this malware is that its served by hacked web servers. Why aren’t we badgering those who maintain these servers? They always seem to get a free pass.

      Heck, go to google images and type in any celebrity’s name. Click on some random photos. You’ll get served a malware pretty quickly. These guys are hacking easily and with impunity. Its time we made web hosts responsible.

      1. Stephen

        drzauisapelord,

        I agree the person in charge dose get a free pass a lot. however, there a reason why, stop and put your self in his shoes, being there once or twice my self I understand what he goes thought every day. furthermore, the end user never seem to help. more often then not there actual the cause of the problem this why the blame always end up on there should.

        I said it before and I say it again, the only true way to stop events like this form being wide speared is to educate the end user. knowledge is power has the saying goes. I truly believe the end user should be educate better so when attacker slip thought the the cracks (and we both know it only a matter of time). The end user will know better then to fall for the attacker tricks.
        And possible be smart enough to even alert the admin of this problem quicker. form my experience there are a lot of every ignorant end user out there still.

      2. Clive Robinson

        @ drzauisapelord

        “”

        The question is how black lists don’t do it.

        The only answer that comes to mind is “authoritarian censorship” by a government etc.

        Which means we end up with our ISP implementing their own little piece of the “great fire wall of China” or it’s equivalent.

        Australian Politico’s talked about such things a while ago but I think the negative press woke them up to what a bad idea censorship is.

    4. Helly

      This was updated on google’s blog to provide a bit more info on their thought process:

      We’ve heard from a number of you that you’re thinking about the potential for an attacker to copy our notice and attempt to point users to a dangerous site instead. It’s a good security practice to be cautious about the links you click, so the spirit of those comments is spot-on. We thought about this, too, which is why the notice appears only at the top of our search results page. Falsifying the message on this page would require prior compromise of that computer, so the notice is not a risk to additional users.

      In the meantime, we’ve been able to successfully warn hundreds of thousands of users that their computer is infected. These are people who otherwise may never have known.

  2. brian krebs

    I see your point, Pete. You are right: ISPs and network providers — including search engines — need to be careful about how they message their customers, and to not prime the pump for scammers. But I also believe users need to learn some very basic street smarts. That includes teaching yourself to think a second or two before you act, or even decide to act.

    For example, what is the harm in a message that says, “Hey, your computer looks like it’s is infected. You might want to do something about that. Here are a few options.” It’s a far cry from the typical rogue av come-on “Hey, your computer is infected and here’s what you need to buy to fix it! buy now! now! now!”

    The more I learn about malware on the Internet and Internet users in general, the more convinced I am that additional, large scale programs like these need to be part of the solution. Like it or not, ISPs have a massive view into what’s going on with their customers, and that includes customers that are quite obviously infected with something. ISPs have been content for a long time to do nothing about this as long as the offender isn’t hogging bandwidth.
    But that attitude is short-sighted, IMHO, and does a disservice to customers in the long run.

    I’ve heard from folks in the ISP community that many don’t want to bother notifying customers about malware problems because they’re worried it will cause a lot of customers to complain and expect the ISP to fix it. That seems like a valid concern. However, there are lots of ways to deal with this issue, and some (like Comcast) are saying, hey, that’s fine: If you need help, we can do that, but it may not be free.

    Google, though, seems to be in a different category here. They’re not in any real danger of people calling them and demanding help removing a threat, or threatening to cancel their high speed internet if they don’t get satisfaction.

    1. Eric

      Brian, if you think it’s OK to click on a link/popup that says “Your computer may be infected, here’s how to clean it…” then you have clearly not been paying attention.

      No longer does the user have to run anything, choose to install anything, or do anything with administrative rights. All it takes to infect a PC is to trick the user into clicking on a link to a malware site. Every week, I see hundreds of malicious links that force drive-by infections on unsuspecting users. That is in addition to the many many many fake AV

      1. BrianKrebs Post author

        As I understood it, the message is not a pop up. it’s a message displayed at the top of the search results when the infected user searches for anything at google.com.

    2. Pete

      I think the argument of, “You must be ‘this smart’ to use the internet,” is a dangerous one. Primarily due to the fact that bar is raising all the time.

      Even those of us who spent years in computer science classes can have a hard time keeping up with good security practices. So it’s entirely unreasonable for us to present Joe Schmo with such complicated instructions as, “Don’t click anything that tells you you’re infected — unless it’s google — and only then, you should do it only if you’re on HTTPS — and even then, you should validate the certificate — and you should make sure the certificate comes from a trusted authority — and you shoul…”

      Remember that the people who were infected with this malware got that way BECAUSE THEY CLICKED ON A BANNER THAT SAYS THEY MIGHT BE INFECTED. (Sorry for the caps, I’m not sure how to do italics here).

      I just think we’re sending very mixed messages to users at large when we force them to make very complex technical decisions about the authenticity of information they see in order to merely function on the internet without having their personal information compromised.

      1. Helly

        I think your points about user confusion were valid at one point, but are quickly becoming valid no longer.

        As security experts we invested a significant amount of effort into training users to not click on things they didn’t expect, and not to submit passwords solicited via email and things. To some degree I think this has created a false sense of security in the end users mind. Meaning if I browse directly to my bank and enter my password then I’m safe. There is very little consideration from the end user for other types of malware that doesn’t fit the traditional phishing type guidelines we gave them. In part I believe its this (false) confidence that makes malware like Zeus so effective.

        The other thing is that in this situation Google is only alerting users who have already proven they don’t follow internet “best practices.” At that point it can’t hurt to try and give these users some sort of a heads up. I hope google publishes the results of their efforts so we can see if it truly proves effective. But I think its time for security people to update our education approached for consumers.

      2. Kooberfacer

        I dont know about your ISP Pete but mine will notify me via email if a computer is hogging bandwidth a la malware spam.I dont need google to tell me if my computer is infected since i already know if it is or not.
        The responsibility does lay with google or the ISP if their machines are compromised though.Another issue with ISP’s is folks working with them that dont quite know what the hell they are doing ,but thats another issue for another day.

    3. Clive Robinson

      Brian,

      Whilst I agree in general you have to ask yourself the difference between “being a good neighbour” and “being a jackbooted censor”.

      Most ISP’s follow the old addage “strong fences make good neighbours”, but only apply it to themselves with respect to their customers, not between their customers.

      It’s an issue we are going to have to learn along the way, and unfortunatly as with much in the modern world the legislators and lawyers are going to do their damdest to make it fail out of their own self interest.

  3. muffin45

    if i saw the note that “your computer appears to be infected…” click here to learn how to fix this, how am i supposed to know that this is legitimate?

    1. timeless

      If you are visiting https://encrypted.google.com and you see that message then one of three things has happened:

      1. Google itself has been attacked
      – response: take a vacation from your computer
      2. Your computer is infected; Google noticed and is telling you
      – response: do something about it
      3. Your computer is infected; The infection has inserted this message into Google’s page
      – response: you’re still infected, you’ll still need to do something about it.

      Note that in case 3 you’re already infected by something which can run arbitrary code as *you* on your system, including performing requests in the browser, which means it’s fully capable of downloading additional programs and running them (as you…). Now… it could be the case that it isn’t capable of running them as the Administrator without your assistance, but since it’s running programs as you, it can rewrite anything you download on your system so no matter what you try to download, it could be a binary of its choosing.

      There’s no reason for Google to show you the message unless your computer is in trouble (unless theirs is, in which case you’d know about it the same way you found out that Google is now introducing such a banner).

      1. timeless

        Of note… if you aren’t absolutely certain you’re visiting https://encrypted.google.com, there’s an easy solution:

        Type it into the urlbar yourself and repeat your search (you can even copy the search from the previous page and paste it into the encrypted search box).

        There’s very little cost to loading https://encrypted.google.com an extra time and repeating your search. If you load it enough, your browser should offer it to you sooner (you could also bookmark it or something…).

  4. Neej

    /me waits for this message to be exploited by yet more scareware 😉

  5. Some Guy

    Google – Great intentions. But poor execution.

    Given the bad guys are choosing to use your search engine most of the time to infect the victim machines do you really expect consumers to head your warning.

    How about publishing the detection strings or signatures or is that Google IP.

    Why not work with ISP’s, reputable AV vendors, CERTS (like AusCERT) or even groups like Shadowserver to deal with this issue.

    1. MikeInSeoul

      >> Why not work with ISP’s, reputable AV vendors, CERTS, … Shadowserver to deal with this issue.

      How are you certain that they already been collaborating? Or, if they haven’t, that they aren’t planning to soon? Besides, I’m pretty sure that if they haven’t been sharing data yet, US-CERT and/or US Cyber Command are going to come knocking soon to collect that data.

      And, really, I can’t see why Google wouldn’t (or shouldn’t) give it to them.

  6. UltraShark

    Well you do have to realize, Google is GOOGLE after all.

    When I want to see if a computer is getting online alright, I go to Google, and test it there. Why? Because Google is reliable, and notably trustworthy in my opinion, and I think and hope a lot of people share that view. That would allow them to still understand that the scamware adds that are littering the internet, and a notification on Google’s website are very very different things. If I saw this, I would trust it, because I know Google is the last company that is going to get massively hijacked and infect it’s customers.

    1. Jane

      I *used* to go to Google to check the connection, back in the “early days” when it was a much cleaner, simpler landing page. Now I ping instead.

    2. Pete

      Remember that the malware in question is malicious because it modifies search results returned by Google.

      So we can assume that it has 100% control over the DOM presented by Google. In fact, it wouldn’t surprise me if the malware gets an “update” to simply hide this message.

      Just because a message is ostensibly from Google doesn’t mean it’s really from Google. I can set up a small computer on your home network to show you anything you like in your Google search results.

      Sure, in THIS case it’s legitimate. But what do you tell grandpa to do when he sees messages like this? Probably, “call me,” because there’s no way you can expect grandpa to be able to authenticate the message by himself.

  7. george

    There is something that “does not compute” for me: If the malware hijacks sessions to google.com, yahoo.com, redirects it to proxies controlled by criminals and replaces the search results with whatever they want, how can Google prevent the banner to not being shown at all ? If this didn’t happen initially, I guess would take those scumbags just hours to patch their badware and completely obstruct the notification banner. What am I missing ?

    1. timeless

      Google can’t prevent that from happening. But it’s a cat and mouse game. Google’s cats are actually pretty agile. And while we think of web pages as static content, that isn’t a requirement and isn’t actually the case for Google pages. Google could build the page in a million different ways, and it can include code which tries to ensure that certain parts of the page are present.

      It’s of course possible for someone to try to spoof the entire Google page, but there’s a reasonable chance that in some cases that’d fail.

  8. bob

    @UltraShark Google doesn’t have to get infected. Your machine gets infected and injects things into your web results. You seem to have jumped to the end of the article (“Google is placing a prominent notification”) without reading the start of the article (“malicious program that hijacks search results”). You can only trust Google if you trust yourself and every machine between you and Google.

    1. timeless

      Note that if you use:

      https://encrypted.google.com

      Then you only have to trust your machine and Google. You can ignore all the machines in between.

      It isn’t perfect, and certainly if your machine isn’t trustworthy, it’s essentially useless, but, it’s better than having to trust everyone.

  9. Mark

    Surely a better statement would have been to ask the user to “go to this site http://www.XXXX.com” rather than use a link, at least that way people will see the address they need to type and not start clicking random links because “Google” told them so, it wont be long until a piece of malware copy’s this and sends them somewhere dodgy 🙁

  10. JoJo

    Please don’t post this if the question shows complete ignorance! Will running Malwarebytes software isolate/repair the problem?

    1. BrianKrebs Post author

      J0J0 – I think that is one of the tools Google specifically calls out and urges people to use. So, I would think that the answer is yes.

  11. JoJo

    My thanks to both Mark and Brian! It is people like you who help me learn more about my computer every day.

  12. Mike K

    While I applaud Google trying to give a heads up, there is nothing right about providing a link “learn how to fix this”. It is essentially how people got themselves in trouble to begin with and sets the wrong example. I teach my family and friends NOT to respond to Pop UPs you don’t know, no matter what it says. The malicious software described in the post could just as easily produce the Google Warning.

    Better would be direction from Google to update and run their virus software or without providing a link giving such directions as to go to Microsoft’s website and download their Malicious Software Removal Tool.

    1. Terry Ritter

      Mike K: “Better would be direction from Google to update and run their virus software or without providing a link giving such directions as to go to Microsoft’s website and download their Malicious Software Removal Tool.”

      While the MSRT has “removal” right up there in the title, and older malware might be removed, expecting that is a bad bet. Many or even most modern malwares simply cannot be “removed” in the sense of returning the original computer state. Once a bot is in place, it can modify any file, and there is no way to know what has been done, so there is no way to reverse it.

      The correct response to malware is to re-install the OS and apps.

  13. KJ

    Perhaps Google should set up a specific site using an encrypted and certified link so that some of theses issues of authenticity could be solved. This would probably only help the more knowledgeable and capable user.

      1. KJ

        Does the encrypted search defeat the redirect malware? Would you be more willing to trust a message on the encrypted certified search page than on the unencrypted uncertified?

        1. timeless

          Encrypted search can defeat some attacks, but if there’s a malicious process running as the same user as your browser, then your browser can easily be manipulated by that malicious process. And given that malware these days often retrieves other malware as it goes, you really need to have 0 malware on your system.

  14. DanO

    >For example, what is the harm in a message that says, “Hey, your computer looks like it’s is infected. You might want to do something about that. Here are a few options.” It’s a far cry from the typical rogue av come-on “Hey, your computer is infected and here’s what you need to buy to fix it! buy now! now! now!”<

    If the Google warning message said something like "Your computer looks like it is infected, we strongly recommend using one of the following AV products to clean your machine" and listed the url for MalwareBytes/other products proven effective (NOT a Link!), there would be no "harm".
    By including a "learn more" link, they are adding to the problem, not the solution. OK, most current rogue AV is the "fix it! buy now! now! now! variety", but the next generation can simply spoof this identical Google alert…once the user clicks "learn how to fix this" the trojan is installed and…

  15. Maureen

    I have to admit that when I started reading this, it took me a few minutes to realize that it was a legitimate alert. Even then, my mind rebelled against the idea that a legitimate company would include a link in their malware alert, and I had to back up and start from the beginning. This is incredible. I have trouble enough communicating what is safe and what is not, and now I have to add “well, if it’s a popup that looks just like Microsoft don’t click on it, but if it’s not a popup and it’s at the top of a Google page, go ahead”?

    I agree with the others who suggested that Google just spell out Malwarebytes’ url and remove the link.

  16. laughingpanda

    >The malware intercepts traffic destined for high profile domains like google.com, yahoo.com and bing.com, and routes it through intermediate hosts or “proxies” controlled by the attackers
    So these people (“attackers”) can easily inject the very same warning message. Or remove this message. They even can slightly modify the google injected message and change “learn how to fix it” link, pointing it to other site.

    This google message will work for sure for a couple of days, until “attackers” program their proxies to exploit it.

  17. Vincent M

    I applaud Google for their efforts. Yes, their warning message does at face value appear to contradict everything we have been taught regarding these types of communications but there is the bigger picture to consider. The first of many that came to mind is to consider how reckless it would be for Google to become aware of an infected computer and not notify the user. Short of having a Google executive escorted by an FBI agent knocking on your front door to notify you of an infection all other method of communication are going to appear as suspicious. As well they should be. Brian Krebs states it best in saying that users need to learn the basics of street smarts.

    Having lived across from Microsoft (in Redmond Wa.) for 12 years and the Silicon Valley for about the same I have managed to acquire a great many friends that are associated to the internet industry in one form or another. Having these friends and through osmosis I have managed to learn some very basic Internet smarts. I have learned that a little smarts, common sense and good habits has helped me avoid many headaches.

    Google has made a great first step but the bottom line is that the Internet is wrought with hazards and trying to discern the good guys from the bad will always be the greatest obstacle. There will never be total Internet security but if companies like Google and users all do there parts it makes it just that much harder for the bad guys.

    1. Maureen

      Vincent, I don’t think anyone has said that Google should not be alerting people to infected computers, but rather HOW they are doing it. Not all users are lucky enough to have acquired “a great many friends…associated to the internet industry”. IT administrators world over have been trying to teach their users not to click on anything they didn’t ask for, and now they are hearing and reading that it’s okay to click on this one. I can tell you firsthand they have undermined a lot of security efforts with this alert.

      You are correct when you say the Internet is full of hazards and it’s difficult telling the difference between good and bad guys. But Google did not help when they threw a link into their alert.

  18. DennisA

    Despite Google’s intent, I have to side with the argument for consistency in dealing with my users. I have invested a lot of time and energy in getting them to not click links that appear to promise to solve problems–especially problems that are not apparent or that users might not understand.

    So, I have just sent a notice to all users here that, should they see the Google alert message, to NOT click the clink, but to close the browser and then call for IT help. And no telling how quickly the scareware writers will mimic Google’s message, with their own destination to other malware embedded in the learn-how-to-fix-this link.

  19. AlphaCentauri

    I support Google posting an alert. But I would remove any clickable links like the “Learn how to fix this.”

    If we’re going to seize a teachable moment, teach users NOT to click on unexpected banners. I mean, that’s how they got into this fix in the first place, isn’t it?

    Google is identifying users by their IP address and can identify them by ISP. Simply sens advance warnings to the ISPs about this campaign so the ISPs can post the “learn how to fix this” link on *their* homepages. Then direct each user to the correct ISP homepage with a non-clickable link that they must type.

    And if Google wants to be even better citizens, explain, “We’re telling you to type this address in your browser, because you should never, ever click on a link that claims to know your computer is infected with malicious programs like computer viruses. Always go to a trusted source like [ISP] support by typing in the address yourself.”

    1. Bill C

      Totally agree with AlphaCentauri. For the majority of internet users (including myself), the principle of “keep it simple” should be employed. In this case, don’t click on the link (even though it seems so harmless)- instead seek help elsewhere. Maybe I’m getting paranoid, but I find myself severely limiting my activity on the internet to only the most necessary activities (this site being one of them). Also, no Facebook (out of control), no smart phone, no “cloud.”

  20. KJ

    My earlier suggestion for Google to use an encrypted certified site for notifying searchers about possible malware infection misses the point that the unsophisticated users that are likely to be infected are also those users that are unlikely to understand or check the certificate. Also Google’s current approach does nothing for users that are infected but use other search engines than Google. A better solution needs to involve the other search engines as well. Notification of ISPs as an intermediary for the unsophisticated users would be good, but there is no guarantee that all ISPs will follow through.

  21. Clive Robinson

    Brian

    It might be time to post a reflection about “reputation” in the real world -v- the online world.

  22. Arti Gupta

    <<>>

    So there’s someone getting paid by this scheme. Can’t the follow the money trail and catch the perps?

  23. Helmi

    Hello, I found this warning in my computer too.. what can i do for fix it friend?

    1. Terry Ritter

      Helmi: “Hello, I found this warning in my computer too.. what can i do for fix it friend?”

      Re-install the OS and apps from scratch.

      1. Terry Ritter

        Allow me to repeat for emphasis the fact that:

        A FULL OS RE-INSTALL IS REQUIRED TO RECOVER FROM MODERN MALWARE.

        As I know very well, OS re-installs can be confusing and tedious. No, there is no easy way.

    2. Terry Ritter

      @Helmi:

      The ONLY way to guarantee that all bots are eliminated is to re-install the OS and apps from scratch.

      Take time to think about what you are doing and what can go wrong. Be particularly careful not to infect other systems or flash drives as you work.

      Back up important data files. Make a drive image which can be searched for data files you forgot to back up. In general, do not recover old program files. Be sure to bring up the new system behind a hardware firewall / router until you get your security patches in place.

  24. Miriam R.

    While I’m grateful to Google for making the effort, the malware I’ve seen causing Google search redirections is _not_ simple to remove.

    Suggesting to users that they can just download a tool and get rid of it is doing them a disservice.

    It’s usually some variation of the TDL4 bootkit/rootkit, and careless attempts to clean it up can leave a computer unbootable or result in irretrievable data loss. I’ve never yet seen a PC with this infection have just _one_ malware kit installed either, since they generally keep downloading botnet components.

    Everyone who gets this warning also needs to be aware that every password they’ve typed since infection now belongs to the criminals – e-mail, banking, etc.

    On the other hand, at least Google isn’t (yet) directing people to targeted advertising for identity theft protection services.

    As far as prevention is concerned, it’s going to take a concerted effort of hosting facilities, site admins, ISP’s, and others to stop the bot herders. Anyone who runs an FTP server can see the daily password attacks, but most of the “infected” pages I’ve seen have been victims of page modifications to redirect to malware sites, third-party advertising which redistributes malicious JavaScript or Flash, and so on.

    US-CERT recently released a general warning about securing web servers which should give people some idea of how complicated it is to lock everything down – a few easy good practices, but many steps that could require hundreds of hours of IT work for small organizations.

    Sites like the New York Times, MSNBC and other innocuous brands have distributed malware – it’s not a matter of infection through user ignorance (unless you count using Internet Explorer) .

    Finally, #^@#$ Microsoft. Why anything running in userland (and in a browser’s temp directory) ever gets permission to write to the boot sector or create super-hidden registry keys is beyond me. If someone writes a consumer wrapper for Qubes, I’ve got my wallet out.

  25. T.Anne

    “Banks always tell us they will never ask for our password. But then they ask for our password every time we log in. Therefore, it’s easy for attackers to trick people into giving out their password by just faking the bank’s login page. If they do a good job at emulating the bank’s login page, then users will happily enter their data right into the fields provided.”

    First, I’m pretty sure banks tell you they won’t ask you in email and that they won’t send you a link requesting you to type in that type of info. So if you actually pay attention to what it says – and not just assume that means they’ll never ask you for your password. It’s really not all that confusing. I mean, why set up a password in the first place if they’re not going to ask for it?

    And I’m sorry – but I much prefer having different log-ins for everything vs one on my computer. If my computer is hacked – then everything is lost. If one password is hacked, that account may be lost but everything else is still secure. Yes, I know, I can have a key logger or something that pulls every password I enter and slowly each account would be breached. However, the odds of all of them being breached without me knowing something – is much more difficult when they’re all seperate, unique log-ins.

    Personally, I think everyone should have different ones and that they should be changed regularly… I know this isn’t easy and it’s not something most home users do – but it’s basic smarts to stay a little safer online if you ask me (as long as they don’t write each one down down in an excel sheet or something which completely negates the point if the computer is infected). I do the same thing with my garage code, alarm code, pin, etc… I may be overly cautious – but it gives me at least a little more of a sense of security… It’s not enought to keep me totally secure, but it’s a step.

    I understand how the link on Google’s warning essentially goes against all the things we’ve been taught to ignore online. It may not be a pop-up, but it’s also not something we went looking for. However, if I saw the warning… knowing that it’s not wise to click anything. I might be more prone to run my AV or go to a security site to see if I could find anything on it. Naturally, having the warning on a Google search page would make me leary of searching for the information on that page.

    The other thing we have to remember – is that these users are most likely ones that don’t know to not click on things. They’ll happily click it – and, for a change, be directed to something that will help them. Now yes, this can start to be spoofed and lead to bad things too – but again, remember, these people are already clicking links they’re told to… they’re going to be infected regardless. So what’s wrong with actually getting them to click something that will actually help them for a change?

    Honestly, I think more of these types of things should be done. Users need to be better educated and learn how to protect themselves online. However, it’s nice to see others trying to make the internet safer instead of leaving all the responsibility on the user (who in most cases doesn’t even know the basics when it comes be online security).

    The US CERT has provided some nice tips – in easy to understand terms for internet security. This is a step in the right direction for user education if you ask me… we just have to get the word out (and hopefully the users actually care about being secure online… if they don’t – well all of this is irrelevant then because they’d ignore it anyway)…
    http://www.us-cert.gov/cas/tips/

  26. Miriam R.

    For those asking for advice here on how to remove Google redirection malware, there are much better resources than random commenters.

    Reinstalling OS and apps won’t do anything for boot-sector infection, but it’s not usually necessary to wipe your hard drive completely.

    Try the bleepingcomputer.com Security forum”Am I infected?” and the Virus, Trojan, Spyware, and Malware Removal Logs forum for experienced assistance. Follow the pinned instructions. They’re probably swamped right now and it may take hours to days to get your answers, but they can provide relatively inexperienced users with tools and advice to get cleaned up safely.

    1. Terry Ritter

      Miriam R.: “Try the bleepingcomputer.com Security forum”Am I infected?” and the Virus, Trojan, Spyware, and Malware Removal Logs forum for experienced assistance.”

      I dispute that advice. I am neither “random” nor anonymous; I do not hide behind an initial, and I carry a two decade reputation in cryptography and security on the Web.

      Modern malware analysis minimizes the distinction between the old “types” of malware, since the same modern malware is distributed in various ways, and operates in various ways. See, for example:

      http://www.zdnet.com/blog/bott/trojans-viruses-worms-how-does-malware-get-on-pcs-and-macs/3491

      The categories are old school, and are just not as significant as they once were.

      For malware recovery, there simply is no alternative to a complete re-install, and that should include a re-format, and a rewrite of the boot sector. No matter what “advice” is given by old-school pages, it is IMPOSSIBLE to know what a bot has done to existing code or data. In general, it is IMPOSSIBLE to restore changes without knowing what has been done. It is IMPOSSIBLE to guarantee that another existing bot will be found, after “removing” a found bot. With modern malware, any guarantee of “restoring” (or even “cleaning”) the original system is IMPOSSIBLE, absent a saved uninfected drive image which can be recovered.

      These are not questionable issues. Encouraging the delusion that an infected system can be restored with just the right incantations (or that it can be protected by finding just the right scanner) is part of the problem, not part of the solution.

      1. george

        Thank you Terry for your contributions, I am on the same opinion that current malware won’t easily leave a warm, cozy, infected computer and a reinstall is the only way. Just wanted to clarify if your statement:

        “For malware recovery, there simply is no alternative to a complete re-install, and that should include a re-format, and a rewrite of the boot sector. ”

        might imply the overwrite of the boot-sector is not part of any default carried OS installation (specifically interested in Win7, Ubuntu Lucid/Natty and PuppyLinux 5.25 frugal).
        I’m usually repartitioning the harddisk during reinstalls – should this guarantee me a clean boot sector is written subsequently or I should do more ( dd if=/dev/zero over the first block ?)

        1. Terry Ritter

          @george: “might imply the overwrite of the boot-sector is not part of any default carried OS installation”

          Case 1 (a new drive): Obviously, a boot-sector *must* be written during an install on any raw, new drive.

          Case 2 (an existing drive with prior OS install): How could any new OS install hope to work by depending on some arbitrary existing boot sector contents? Surely a boot-sector write must be the normal case for an OS install.

          “I’m usually repartitioning the harddisk during reinstalls – should this guarantee me a clean boot sector is written subsequently or I should do more”

          On XP, I usually reformat the system drive to FAT32 to avoid the Alternate Data Stream functionality in NTFS. I *assume* this will lead to writing the boot sector as well. I have never really doubted it.

          I *assume* that almost any OS install (especially with new partitioning and formatting) will write the boot sector, at least as an option. But I would be glad to hear otherwise, with a clear description of how an OS could possibly allow that and still expect to work.

          1. george

            Thanks Terry,
            In the old days, when only one OS was supposed to be on a disk, I think the OS install routine did not hesitate to overwrite the MasterBootRecord. I am told the DOS version of fdisk, would not write a new MBR when (re)partitioning a disk and fdisk /MBR was used for this purpose during setup. But today a modern OS is expected to be able to coexist with other OS/versions and support multibooting. Perhaps it will not simply overwrite the MBR because it might make unbootable a another OS, instead it will read those 512bytes to check if it’s from Lilo or Grub or some other compatible boot manager and leave it unchanged if it is, just insert itself into the config files (which are somewhere else in the active partition itself).
            Obviously I’m speculating above, I’ll try to read boot managers documentation to understand better what’s going on, ultimately I want to know to which extent an overwrite of the boot sector can be taken for granted during OS reinstall.

            1. Clive Robinson

              @ George,

              It’s actually not just the MBR you should clean out but the whole of cylinder 0.

              Basically for various reasons you can find by looking at various documentation like that of GRUB, the whole of cylinder 0 was reserved for bootstrap loading.

              IBM was the originator of the partition information in the MBR and it was also once envisaged that this would flow over from the first sector in the first cylinder.

              As we now know malware can hide anywhere in the boot process, a significant failing in this respect on IBM PC’s is “expansion card code” IBM originaly reserved memory for hardware cards plugged into the expansio slots to have their own code for initialisation etc be included with that of the BIOS. The much later PCI spec also included this as well.

              Some operating systems still “respect the BIOS” and leave it’s code along with any extention code from I/O devices in memory.

              Also manufactures of “smart devices” have programable micro controlers in the batteries to ensure users only buy the OEM replacment batteries (it’s actually illegal in Europe but it’s not stopped the phone makers or Apple).

              A recent article about a researcher who discovered that Apple batteries have a default password built in and has already developed a proof of concept exploit that can brick an Apple battery. Apparently he is looking at the latest Apple OS to see if there is a method by which malware can be put in the battery micro to own any Apple device it gets plugged into.

              Now knowing a little about the “obsesive compulsive disorder” many manufactures have over consumables such as batteries and game and printer cartridges and the way they often go about such protectionism I would not be atall surprised if the researcherd did find an effective way to put malware onto the micro in the Apple batteries…

              1. Terry Ritter

                @Clive Robinson: “the whole of cylinder 0 was reserved for bootstrap loading.”

                But the execution starts someplace, and if the code there is good, execution never gets to bad stuff. Simply writing valid bootstrap code should be sufficient to not execute beyond that. The extra space might be a place to hide, but something has to vector execution into it before it becomes dangerous.

  27. Terry Ritter

    @Marcustech: “As I understand it this is the alleged goal of Trusted Computing – the hardware verifies the bios, bootloader and OS are trusted ie bot free. There’s just no-one really pushing for it and consumers don’t understand it.”

    The concept of “trust” in Trusted Computing lies mainly in media distributors NOT HAVING TO “trust” consumers. (From wikipedia.org on Trusted Computing Group):

    “TCG’s original goal was the development of a Trusted Platform Module (TPM), … [an] integrated circuit….”

    “What a TPM does provide in this case is the capability for the OS to lock software to specific machine configurations, meaning that “hacked” versions of the OS designed to get around these restrictions would not work.”

    Joanna Rutkowska and Invisible Things Lab are famous for exposing a whole series of problems in TPM security, including BIOS issues:

    http://invisiblethingslab.com/itl/Resources.html

    The Trusted Computing design is a complex system. Since complexity is the enemy of security, it is hard to accept TC as a serious security proposal.

    At the root, our bot problem is based on the fact that our current equipment design actually supports bot infection. The obvious solution would be for Microsoft and Intel to come up with a simple corrected design which just does not allow infection.

    One possibility would be a new drive definition, in which boot code and data would be protected by the drive controller (independent hardware), instead of a potentially-infected OS. But that would likely require serious changes to Microsoft Windows, and thus be seriously resisted.

  28. Miriam R.

    Terry Ritter is absolutely right, and perhaps needs his own security blog.

    However, the practical consequences of telling everyone with an infected computer that they should nuke their systems…

    If Google has to inform users that they’re infected, what do you think the odds are that they have clean, restorable backups?

    Btw, I have no affiliation with bleepingcomputer.com nor any anti-virus or operating systems vendor. Just a humble sysadmin, cloaking myself in an anonymous initial for security against casual stalkers.

    1. Terry Ritter

      @Miriam R.: “However, the practical consequences of telling everyone with an infected computer that they should nuke their systems…”

      But if not that, what? In real life, sometimes the best that can be done is to select a less-bad alternative.

      1. One bad option is to do nothing, and live with infection.

      2. Another option is to run a security package and do what it says. But we know that even a successful “removal” is no guarantee that all bots have been removed, let alone that data changes have been restored. Thus, this option is delusion, and since when has delusion become an acceptable technical response?

      3. A less-bad option is the OS re-install. Yes, it is tedious and even scary. Data can be lost. Attention is needed. A drive-image is recommended. But in the end at least one gets a trusted system. Of course, that trust may not last long. And there is no way to know when the system has become re-infected because Microsoft does not provide a tool for that.

      4. Another less-bad option is to just stop using Microsoft Windows online. Currently, Mac and Linux are viable options. For most online work, I use free Puppy Linux booted from DVD (I am using it now) and as a result get a clean system every time I reboot. But Netflix streaming seems deliberately unavailable in Linux.

      Or perhaps you have another alternative. But if not, you really need to consider how informing computer owners of the Truth is somehow worse than letting them experience the bite of failed delusion.

  29. Vincent M.

    Maureen- you are absolutely right. After reading further post that evening I realized that my posted opinion was inadequately expressed. I should have included that my personal rule of thumb is that “If I didn’t go looking for it then don’t click on it”. This is what we all have been taught and Google’s decision to chose that method of notification certainly contradicts that. At the very least Google should have just listed the url along with a reminder to never to click on anything that the user did not go looking for.

    Having said that, I have found that efforts lead to mistakes and mistakes are a great indicator of progress.

Comments are closed.