(Cross-posted from the Official Google Blog)
The Internet brings remarkable benefits to society. Unfortunately, some people use it for harm and their own gain at the expense of others. We believe in the power of the web and information, and we work every day to detect potential abuse of our services and ward off attacks.
As we work to protect our users and their information, we sometimes discover unusual patterns of activity. Recently, we found some unusual search traffic while performing routine maintenance on one of our data centers. After collaborating with security engineers at several companies that were sending this modified traffic, we determined that the computers exhibiting this behavior were infected with a particular strain of malicious software, or “malware.” As a result of this discovery, today some people will see a prominent notification at the top of their Google web search results:
This particular malware causes infected computers to send traffic to Google through a small number of intermediary servers called “proxies.” We hope that by taking steps to notify users whose traffic is coming through these proxies, we can help them update their antivirus software and remove the infections.
We hope to use the knowledge we’ve gathered to assist as many people as possible. In case our notice doesn’t reach everyone directly, you can run a system scan on your computer yourself by following the steps in our Help Center article.
Updated July 20, 2011: We've seen a few common questions we thought we'd address here:
- The malware appears to have gotten onto users' computers from one of roughly a hundred variants of fake antivirus, or "fake AV" software that has been in circulation for a while. We aren't aware of a common name for the malware.
- We believe a couple million machines are affected by this malware.
- We've heard from a number of you that you're thinking about the potential for an attacker to copy our notice and attempt to point users to a dangerous site instead. It's a good security practice to be cautious about the links you click, so the spirit of those comments is spot-on. We thought about this, too, which is why the notice appears only at the top of our search results page. Falsifying the message on this page would require prior compromise of that computer, so the notice is not a risk to additional users.
- In the meantime, we've been able to successfully warn hundreds of thousands of users that their computer is infected. These are people who otherwise may never have known.
It's too bad that the malware folks in the world already use "your computer appears to be infected" messages to trick people into installing malicious software. Tomorrow, the bad guys will copy the format and appearance of Google's version of the message, to leverage the trust people have in Google. Perhaps Google needs something akin to the Yahoo personalized "sign-in seal" for moments like this?
ReplyDeleteI'm with Mecandes on this. For as long as I've been on the internet, there have been messages like this floating around that will actually GIVE you a virus. If I saw that message without reading this blogpost, I would assume the message was fake.
ReplyDeleteThe difference is that this message is on the Google page, where as the 'fake' ones are typically in some banner or other shady webpage.
ReplyDeleteIf malware is putting messages on your Google page telling you that you have malware, I say let them go for it.
I agree, this is too much like those phishing virus/trojans that claim your computer is infected.
ReplyDeleteWhat it SHOULD say is:
Your computer is infected. Shut it down now, take it to your best geek buddy, buy him a venti nonfat tripple espresso, and ask HIM to fix it, because you can't trust links like this, and your judgment is impaired otherwise you'd never have gotten infected in the first place.
Wait..."some people use it for harm and their own gain at the expense of others."
ReplyDelete... gosh. I plan to stay alert for that.
Thanks Google team! Keep improving the service... Sure, Mecandes and other commenters are right in that for lots of end users it is confusing as the bad guys also use a similar message. But it's always easier to comment on stuff, and at least this Google team is trying...
ReplyDeleteNow....If I was these dodgy people sending you via proxies, one of them would send you to a page that looked exactly like Google, with the message on and ask them to click here to remove the message. Pretty easy to even make the Google search work due to the APIs available....
ReplyDeleteIn fact, I'd set up 100 pages exactly the same across hundreds of spammy domains so as soon as one got shut down, I could switch to another
thankfully I'm not that way inclined
I would remove the link "Learn how to fix this". Most people who know don't know how to remove malware, won't learn by reading a webpage. Malware developers will soon copy your google imagery transform that link in a malware link.If you have malware running in your computer, the best advice is to shut it down and take it to your best geeky friend to fix it! (Or pay for it!). (As aelfwyne said ...)
ReplyDeleteThey most certainly will fake it and those who do trust the fakes will do so without checking the URL.
ReplyDeleteDoes this malware have a name?
ReplyDeleteIs it also possible to notify the abuse@ address for the IP space? In certain networks (for example universities) this gives a better chance of the right system and user being traced and cleanup being done.
ReplyDeleteThis is stupid. Great idea, very, very poor execution. This is only going to confuse people. Ridiculous.
ReplyDeleteI run a computer repair shop and see this stuff all the time. So far, I for see this as "someone lighting a match and yelling fire". I have found a post from Google stating that it is simply altering the hosts file. This is very sort on details.
ReplyDeleteWhere is the bug coming from?
What put the line(s) in the hosts file?
All they are listing that I have found so far is the symptoms of the cold but not the cold. If anyone has any more details, please email me ASAP at rtcomp@gmail.com
Hey Damian,
ReplyDeleteI'm a Xoogler (AdWords Risk) with an idea about this based on some things I've been seeing in my current industry. I love your work on this but would prefer to keep my input private, please email me at jackhanlon at gmail so we could speak more.
Kudos on the great work.
Best,
Jack
Does anyone of a list of the IP addresses of the malware proxies?
ReplyDeleteI’m glad I’m not the only one who sees a problem with this. It’s a good idea, but I think it’ll confuse your average user and may help SPREAD malware, doing little to eliminate it.
ReplyDeleteOn one hand I’m inclined to agree with the previous poster who suggested that the link to fix the problem should be removed. On the other hand, I wondering if the notification bar is just a bad idea in general. I like what Google is trying to do, and I can see the good intentions, but it certainly doesn’t seem like it was thought through very well.
remember how these ppl got infected to begin with, was clicking on an a link telling them they were infected... that's who it's aimed at. Google is also far more trusted than most other sites anyway so it will definatly encourage ppl to try to do something about it.
ReplyDeleteI think this can only be positive.
The fact that people still get malware/viri to this day amazes me.
ReplyDeleteWhat do the attackers gain by sending Google traffic through proxies? Seems like a weird sort of attack.
ReplyDeleteUpdate: So far from what I am seeing, this thing is altering the Google proxy so that it sends you to a Malware site.
ReplyDeleteWhen you do a search, it sends you to the Google proxy IP then just before doing the search, changes the search string and lists the Malware sites in a way to let you think that your going to good sites.
Please correct me if I am wrong. I am still researching this and the more info the better.
@Lucid-
ReplyDeleteSome people still don't change their oil. What about people getting malware/viruses is surprising to you?
The pop-up, while nice that Google is trying to help, is at best vague and unhelpful for the very reasons others above have listed.
ReplyDeleteThe biggest problem is not with the pop-up, but instead with the Blog Post itself. It says nothing.
What malware is it detecting?! What strain, give us the popular names that the security community is using for the malware.
There are literally hundreds of new malware/virii released into the wild every day.
You don't need to provide exact details in the pop-up but at least be complete with you research and dissemination of the information.
Thanks to everyone for the comments and discussion. I've updated the post with some additional details to address the most common questions.
ReplyDeleteOn point three you are dealing with technicalities about where you place the warning on the Google page, and what it would take to compromise the warning on the Google page. True, the actual Google notice isn’t a risk to additional users. But what about fake notices that look like the Google alert on other web sites. Because this comes from Google, and people have some degree of trust in the Google brand, people will have less reluctance to click in the link in your notice.
ReplyDeleteBefore if someone were to see a fake AV ad that associates itself with Google, it could be rejected immediately. But now, a fake AV add making that claim might seem more believable, because people will know that Google does in fact offer that service. Not only that, Google has established a visual design that furthers that degree of trust. This has never been the case before. Think of it from the view of an average web surfer who encounters a forged ad on some 3rd party web site. Sure, they’re not on the Google page, but hey, it looks like the Google Ad, It Says it’s from Google, and they know Google does this kind of thing (and may not know it’s only valid on the Google page). So it’s *click*, and game over.
I’m glad to hear you’ve helped hundreds of thousands of users, but I don't know that I'd go as far as saying that the notice is not a risk to additional users.
Mr. Lembo and othres, my extensive experience indicates that Malwarebytes AntiMalware (http://www,malwarebytes.org) is currently the best tool around for killing fake AV. In most cases it just runs and kills the fake. Sometimes it requires some trickery such as renaming the installer and/or executable. In extreme cases it requires manual fixes to re-enable safe mode before installing and running. I carry some .reg files with me; http://blog.didierstevens.com/2007/02/19/restoring-safe-mode-with-a-reg-file/.
ReplyDelete(links purposefully not active)
I'm sorry to say this, but one way to get confronted with an attempt to install this Fake AV software is by browsing for picture results with Google. The pictures in the search result do not open the picture in question, but instead open a fake virus detection notice box and immediately start a fake scan of what seems to be your own hard drive and files. You can not close the Internet Explorer tab and you have to kill IE to get rid of it. If you fail to do so or follow through with what they tell you to do, you will get that Fake AV malware installed. It's time that Google does something about these fake picture found results that have been manipulated to land you on a malware site. It's also time that Microsoft changes IE so that it becomes less susceptible to these kind of attacks, but that counts for the other browsers as well.
ReplyDeleteAmnon, I have seen that 1000s of times. Have you found it to be only IE and if so what version?
ReplyDeleteAt first i got scared. "I said Google showing such a message" then thanx to this post. My doubts were clear.
ReplyDelete1) Fake AV pages are rampant. The fact that they are on pages with odd URLS does not matter, people don't pay attention. Plus, there are lots of ways to hide the URL, or make it look reasonable.
ReplyDelete2) Google is a terrific source of hacking data and always has been. Until they borked the svn server, google code held a list of known password drop boxes. At least a third, and probably more phished passwords transit Google. However, these are for non-Google hacked accounts. As soon as Google is somewhat threatened, though, they spring into action. With an ill-conceived plan. Not impressed, folks.
Very nice, but I think this should definately be made more public: If someone sees this message he might think it's fake.
ReplyDeleteWhy not post a notice on the normal Google start page about this feature?
I think most people would appericiate this.
This is just an off the wall idea. I don't know how much of a load it would be on the servers but there are "blacklist" sites out there... I use WOT on my firefiox if you've never seen it... www.mywot.com
ReplyDeleteMay a flag (red yellow green or something) when a link is on a blacklist?
I am planing something like this on a local access point that's in the works here
Can google provide a Chrome USB stick, that user can boot his windows computer off of, so that computer becomes a Chrome computer.
ReplyDeleteThat link "Learn how to fix this" needs to be removed. I would not be surprised that the hackers have already made something that looks just like it with that link going to something malicious. A warning that the machine is compromised and they need the machine cleansed by a geek and new AV software installed is enough. Do not provide links and make that an established principle of these warnings.
ReplyDeleteSilly rabbits! Google isn't doing this to let the end user know that they might be infected. One commenter even pointed out the fact that a/v software can not remediate an unknown infection. Google is telling the attackers in a polite way to knock it off before google lays a smack down. I'm sure that the google team has been aware of this packet interception and manipulation for some time. They have collected the necessary identifying information and decided to play cat and mouse for fun. Google has resources that vastly overshadow even some governments. A group of hackers isn't a direct threat to google, hence the polite "Hey, we know who you are and what you're up to. Knock it off!"
ReplyDeleteThis should surely help my business. One obstacle in winning new customers is that people just don't know their computers are infected. This may help to overcome that.
ReplyDeletemy google is hacked.
ReplyDeletewhenever i search for any thing on google.co.uk it goes on to a different sometimes dangerous site. please help.