Using data to protect people from malware

Tuesday, July 19, 2011 4:57 PM



(Cross-posted from the Official Google Blog)

The Internet brings remarkable benefits to society. Unfortunately, some people use it for harm and their own gain at the expense of others. We believe in the power of the web and information, and we work every day to detect potential abuse of our services and ward off attacks.

As we work to protect our users and their information, we sometimes discover unusual patterns of activity. Recently, we found some unusual search traffic while performing routine maintenance on one of our data centers. After collaborating with security engineers at several companies that were sending this modified traffic, we determined that the computers exhibiting this behavior were infected with a particular strain of malicious software, or “malware.” As a result of this discovery, today some people will see a prominent notification at the top of their Google web search results:


This particular malware causes infected computers to send traffic to Google through a small number of intermediary servers called “proxies.” We hope that by taking steps to notify users whose traffic is coming through these proxies, we can help them update their antivirus software and remove the infections.

We hope to use the knowledge we’ve gathered to assist as many people as possible. In case our notice doesn’t reach everyone directly, you can run a system scan on your computer yourself by following the steps in our Help Center article.

Updated July 20, 2011: We've seen a few common questions we thought we'd address here:
  • The malware appears to have gotten onto users' computers from one of roughly a hundred variants of fake antivirus, or "fake AV" software that has been in circulation for a while. We aren't aware of a common name for the malware.
  • We believe a couple million machines are affected by this malware.
  • We've heard from a number of you that you're thinking about the potential for an attacker to copy our notice and attempt to point users to a dangerous site instead. It's a good security practice to be cautious about the links you click, so the spirit of those comments is spot-on. We thought about this, too, which is why the notice appears only at the top of our search results page. Falsifying the message on this page would require prior compromise of that computer, so the notice is not a risk to additional users.
  • In the meantime, we've been able to successfully warn hundreds of thousands of users that their computer is infected. These are people who otherwise may never have known.
The comments you read here belong only to the person who posted them. We do, however, reserve the right to remove off-topic comments.

37 comments:

Mecandes said...

It's too bad that the malware folks in the world already use "your computer appears to be infected" messages to trick people into installing malicious software. Tomorrow, the bad guys will copy the format and appearance of Google's version of the message, to leverage the trust people have in Google. Perhaps Google needs something akin to the Yahoo personalized "sign-in seal" for moments like this?

DanH said...

I'm with Mecandes on this. For as long as I've been on the internet, there have been messages like this floating around that will actually GIVE you a virus. If I saw that message without reading this blogpost, I would assume the message was fake.

Chad said...

The difference is that this message is on the Google page, where as the 'fake' ones are typically in some banner or other shady webpage.

If malware is putting messages on your Google page telling you that you have malware, I say let them go for it.

aelfwyne said...

I agree, this is too much like those phishing virus/trojans that claim your computer is infected.

What it SHOULD say is:

Your computer is infected. Shut it down now, take it to your best geek buddy, buy him a venti nonfat tripple espresso, and ask HIM to fix it, because you can't trust links like this, and your judgment is impaired otherwise you'd never have gotten infected in the first place.

rpauli said...

Wait..."some people use it for harm and their own gain at the expense of others."

... gosh. I plan to stay alert for that.

Raoul Teeuwen said...

Thanks Google team! Keep improving the service... Sure, Mecandes and other commenters are right in that for lots of end users it is confusing as the bad guys also use a similar message. But it's always easier to comment on stuff, and at least this Google team is trying...

Jim Seward said...

Now....If I was these dodgy people sending you via proxies, one of them would send you to a page that looked exactly like Google, with the message on and ask them to click here to remove the message. Pretty easy to even make the Google search work due to the APIs available....

In fact, I'd set up 100 pages exactly the same across hundreds of spammy domains so as soon as one got shut down, I could switch to another

thankfully I'm not that way inclined

Friedrich said...

I would remove the link "Learn how to fix this". Most people who know don't know how to remove malware, won't learn by reading a webpage. Malware developers will soon copy your google imagery transform that link in a malware link.If you have malware running in your computer, the best advice is to shut it down and take it to your best geeky friend to fix it! (Or pay for it!). (As aelfwyne said ...)

Vincent said...

They most certainly will fake it and those who do trust the fakes will do so without checking the URL.

Rob Carlson said...

Does this malware have a name?

Koos said...

Is it also possible to notify the abuse@ address for the IP space? In certain networks (for example universities) this gives a better chance of the right system and user being traced and cleanup being done.

paul said...

This is stupid. Great idea, very, very poor execution. This is only going to confuse people. Ridiculous.

R&T Computers said...

I run a computer repair shop and see this stuff all the time. So far, I for see this as "someone lighting a match and yelling fire". I have found a post from Google stating that it is simply altering the hosts file. This is very sort on details.

Where is the bug coming from?
What put the line(s) in the hosts file?

All they are listing that I have found so far is the symptoms of the cold but not the cold. If anyone has any more details, please email me ASAP at rtcomp@gmail.com

Handy said...

Hey Damian,
I'm a Xoogler (AdWords Risk) with an idea about this based on some things I've been seeing in my current industry. I love your work on this but would prefer to keep my input private, please email me at jackhanlon at gmail so we could speak more.

Kudos on the great work.

Best,
Jack

Joe Blow said...

Does anyone of a list of the IP addresses of the malware proxies?

Mr Nice Guy said...

I’m glad I’m not the only one who sees a problem with this. It’s a good idea, but I think it’ll confuse your average user and may help SPREAD malware, doing little to eliminate it.

On one hand I’m inclined to agree with the previous poster who suggested that the link to fix the problem should be removed. On the other hand, I wondering if the notification bar is just a bad idea in general. I like what Google is trying to do, and I can see the good intentions, but it certainly doesn’t seem like it was thought through very well.

Kat said...

remember how these ppl got infected to begin with, was clicking on an a link telling them they were infected... that's who it's aimed at. Google is also far more trusted than most other sites anyway so it will definatly encourage ppl to try to do something about it.

I think this can only be positive.

Lucid said...

The fact that people still get malware/viri to this day amazes me.

Matthew Cline said...

What do the attackers gain by sending Google traffic through proxies? Seems like a weird sort of attack.

R&T Computers said...

Update: So far from what I am seeing, this thing is altering the Google proxy so that it sends you to a Malware site.

When you do a search, it sends you to the Google proxy IP then just before doing the search, changes the search string and lists the Malware sites in a way to let you think that your going to good sites.

Please correct me if I am wrong. I am still researching this and the more info the better.

Michael Kennedy said...

@Lucid-

Some people still don't change their oil. What about people getting malware/viruses is surprising to you?

Gnelg said...

The pop-up, while nice that Google is trying to help, is at best vague and unhelpful for the very reasons others above have listed.

The biggest problem is not with the pop-up, but instead with the Blog Post itself. It says nothing.

What malware is it detecting?! What strain, give us the popular names that the security community is using for the malware.

There are literally hundreds of new malware/virii released into the wild every day.

You don't need to provide exact details in the pop-up but at least be complete with you research and dissemination of the information.

Damian Menscher said...

Thanks to everyone for the comments and discussion. I've updated the post with some additional details to address the most common questions.

Phil Lembo said...

Rebuilt my kids' machine over the weekend as a result of this. Real anti-virus and anti-malware was useless because it didn't match on any existing definition. In our case it called itself "Windows Security Center 2011". In our case, by the time Google's pop up would have appeared, it would have been too late. Unfortunately I don't think this is something Google can affect (but thanks for trying). The problem is with a desktop system so poorly designed from a security standpoint that it facilitates a takeover by browser borne code. Here, as in most computer security cases "the best defense is a *real* defense."

Mr Nice Guy said...

On point three you are dealing with technicalities about where you place the warning on the Google page, and what it would take to compromise the warning on the Google page. True, the actual Google notice isn’t a risk to additional users. But what about fake notices that look like the Google alert on other web sites. Because this comes from Google, and people have some degree of trust in the Google brand, people will have less reluctance to click in the link in your notice.

Before if someone were to see a fake AV ad that associates itself with Google, it could be rejected immediately. But now, a fake AV add making that claim might seem more believable, because people will know that Google does in fact offer that service. Not only that, Google has established a visual design that furthers that degree of trust. This has never been the case before. Think of it from the view of an average web surfer who encounters a forged ad on some 3rd party web site. Sure, they’re not on the Google page, but hey, it looks like the Google Ad, It Says it’s from Google, and they know Google does this kind of thing (and may not know it’s only valid on the Google page). So it’s *click*, and game over.

I’m glad to hear you’ve helped hundreds of thousands of users, but I don't know that I'd go as far as saying that the notice is not a risk to additional users.

Jon Fleming said...

Mr. Lembo and othres, my extensive experience indicates that Malwarebytes AntiMalware (http://www,malwarebytes.org) is currently the best tool around for killing fake AV. In most cases it just runs and kills the fake. Sometimes it requires some trickery such as renaming the installer and/or executable. In extreme cases it requires manual fixes to re-enable safe mode before installing and running. I carry some .reg files with me; http://blog.didierstevens.com/2007/02/19/restoring-safe-mode-with-a-reg-file/.

(links purposefully not active)

Amnon said...

I'm sorry to say this, but one way to get confronted with an attempt to install this Fake AV software is by browsing for picture results with Google. The pictures in the search result do not open the picture in question, but instead open a fake virus detection notice box and immediately start a fake scan of what seems to be your own hard drive and files. You can not close the Internet Explorer tab and you have to kill IE to get rid of it. If you fail to do so or follow through with what they tell you to do, you will get that Fake AV malware installed. It's time that Google does something about these fake picture found results that have been manipulated to land you on a malware site. It's also time that Microsoft changes IE so that it becomes less susceptible to these kind of attacks, but that counts for the other browsers as well.

R&T Computers said...

Amnon, I have seen that 1000s of times. Have you found it to be only IE and if so what version?

Joaz said...

At first i got scared. "I said Google showing such a message" then thanx to this post. My doubts were clear.

Mike P. said...

1) Fake AV pages are rampant. The fact that they are on pages with odd URLS does not matter, people don't pay attention. Plus, there are lots of ways to hide the URL, or make it look reasonable.

2) Google is a terrific source of hacking data and always has been. Until they borked the svn server, google code held a list of known password drop boxes. At least a third, and probably more phished passwords transit Google. However, these are for non-Google hacked accounts. As soon as Google is somewhat threatened, though, they spring into action. With an ill-conceived plan. Not impressed, folks.

Roidsear said...

Very nice, but I think this should definately be made more public: If someone sees this message he might think it's fake.
Why not post a notice on the normal Google start page about this feature?
I think most people would appericiate this.

R&T Computers said...

This is just an off the wall idea. I don't know how much of a load it would be on the servers but there are "blacklist" sites out there... I use WOT on my firefiox if you've never seen it... www.mywot.com

May a flag (red yellow green or something) when a link is on a blacklist?

I am planing something like this on a local access point that's in the works here

Avinash Agrawal said...

Can google provide a Chrome USB stick, that user can boot his windows computer off of, so that computer becomes a Chrome computer.

Henry Hertz Hobbit said...

That link "Learn how to fix this" needs to be removed. I would not be surprised that the hackers have already made something that looks just like it with that link going to something malicious. A warning that the machine is compromised and they need the machine cleansed by a geek and new AV software installed is enough. Do not provide links and make that an established principle of these warnings.

Noneya Business said...

Silly rabbits! Google isn't doing this to let the end user know that they might be infected. One commenter even pointed out the fact that a/v software can not remediate an unknown infection. Google is telling the attackers in a polite way to knock it off before google lays a smack down. I'm sure that the google team has been aware of this packet interception and manipulation for some time. They have collected the necessary identifying information and decided to play cat and mouse for fun. Google has resources that vastly overshadow even some governments. A group of hackers isn't a direct threat to google, hence the polite "Hey, we know who you are and what you're up to. Knock it off!"

Ed Coyne said...

This should surely help my business. One obstacle in winning new customers is that people just don't know their computers are infected. This may help to overcome that.

asdfghjklqwertyuiopzxcvbnm said...

my google is hacked.
whenever i search for any thing on google.co.uk it goes on to a different sometimes dangerous site. please help.