Google alerts infected users that they've been compromised
- By William Jackson
- Jul 21, 2011
After finding evidence on its own servers that malicious code apparently is redirecting search queries from some users, Google has begun returning a warning along with its search results to those who have been infected.
Users who have been compromised will see a yellow banner at the top of the search results that warns, “Your computer appears to be infected,” and includes a link to information on cleaning up the infection. Although the role of Internet service providers in protecting customers has been debated for years, this is one of the early times a third-party content provider has taken upon itself the responsibility for alerting customers of infections.
The top cyber threats of 2011, so far
“Google is to be applauded,” said Chris Larsen, senior malware researcher at Blue Coat Systems.
But that does not mean there is no downside. Security alerts from fake antivirus vendors have become a popular vector for luring victims to download worthless or malicious software, so there is the possibility that users will be suspicious of the Google alert, or that the bad guys will take advantage of it by counterfeiting it.
Google is aware of the risk. “We thought about this, too, which is why the notice appears only at the top of our search results page,” security engineer Damian Menscher said in a company blog posting announcing the program. “Falsifying the message on this page would require prior compromise of that [the user’s] computer, so the notice is not a risk to additional users.”
Google announced the program July 19, after discovering what it called an unusual pattern of activity while doing maintenance on a server. The unusual traffic was being routed to Google through a small number of proxy servers.
“After collaborating with security engineers at several companies that were sending this modified traffic, we determined that the computers exhibiting this behavior were infected with a particular strain of malicious software, or ‘malware,’” Menscher wrote in the blog. “As a result of this discovery, today some people will see a prominent notification at the top of their Google Web search results.”
Menscher wrote that the malware apparently was delivered to victims’ computers through a fake antivirus scheme and that it has been in circulation for a while. (Although Google issues the alerts with search results, the malware has nothing to do with searches.) As many as several million machines could be infected.
Advice offered to users includes installing and updating antivirus software, scanning your computer and removing any detected malware. For users without antivirus software there is a warning to avoid fake antivirus tools.
“Common examples that you should not install include ‘My Security Shield,’ ‘Security Master AV,’ and ‘CleanUp Antivirus.’ Before choosing to install any software, look online for reviews or forum posts to make sure that the software is not a malicious program.”
Google has not released details of the malware, but Larsen speculated that by redirecting Google requests through a proxy, the search query could be manipulated to produce results that could direct traffic to selected sites. Because the query would be manipulated before it reached Google, it would not require gaming the search engine itself or directly manipulating the results.
But the validity of its results is Google’s bread and butter, and the company is actively warning users of the problem.
Larsen said that the Google warning is not foolproof and could be exploited by bad guys.
“We would expect that, yes, someone eventually will game the system,” he said. Alerts that appear in the browser can be easily abused, but this avenue is the only one open to Google and the odds are the genuine alerts will help more people.
“The balance is, overall, this is a good thing,” Larsen said, “They are doing the best they can and it’s a valuable service.”
William Jackson is a Maryland-based freelance writer.