Google Warns Users Of Malware On Search Pages

Google search users infected with malware will likely be treated to a warning that will read, “Your computer appears to be infected,” coupled with a link that leads to information on how users can remediate the problem.

The search giant first initiated its new endeavor after it discovered some a strain of malware infecting Windows machines when it took one of its data center servers offline during a routine maintenance check.

“After collaborating with security engineers at several companies that were sending this modified traffic, we determined that the computers exhibiting this behavior were infected with a particular strain of malicious software, or ‘malware,’” said Damian Menscher, Google security engineer in a blog post. “As a result of this discovery, today some people will see a prominent notification at the top of their Google Web search results.”

Menscher discovered that more than a million Microsoft Windows machines were infected with a strain of malware designed to hijack search results when users entered keywords in queries over Google and other search engines, according to security blogger Brian Krebs . While legitimate search traffic was redirected, the original IP still received thousands of requests per second. Menscher discovered that the malware instructed infected PCs to contact a specific Google Internet address to see if the systems were still online.

Menscher found that the malware intercepts traffic en route to search engines like Google, Yahoo or Bing, and redirects it through intermediate proxy servers controlled by the attackers, Menscher said. The malware then appears on victims’ computers as fake antivirus or “scareware” programs that attempt to trick users into buying bogus security software after conducting a phony security scan.

However, the traffic stemming from the infected machines also has a unique signature, which allows Google to detect and alert users to its presence.

“We hope that by taking steps to notify user whose traffic is coming through these proxies, we can help them update their antivirus software and remove the infections,” he said. “We hope to use the knowledge we’ve gathered to assist as many people as possible.”

Users who don’t see the notification have the option of running a system scan on their computers by following directions in its Help Center.

Chris Larsen, senior malware researcher for BlueCoat Systems, applauded Google’s effort to flag users potentially infected with malware.

“These days when you’re infected, you don’t know visually,” he said. “If you do, you would immediately panic and try to fix things.”

However, Larsen contended that while Google’s intentions were good, the effort could also be exploited by cyber criminals who could ostensibly lure victims by creating fake malware warnings. Users would unknowingly download malware by clicking on the link that they thought would lead to the remediation of the malicious code.

Google said its banners are embedded directly in the search page, making it impossible for a third party to recreate them.

“While bad guys would not be able to create a banner, they could certainly dummy up a fake page that included a fake banner,” Larsen said.

“They can take you to a site and display a fake Google search result,” he said, adding, “I never underestimate the ingenuity and creativity of the bad guys.”