Google Warns Users About Active Malware Infection

dinscott writes "Google has begun notifying its users that a particular piece of malware is installed on their computers by showing a big yellow notification above their search results. The warning begun popping up yesterday, and does so only for users whose computers have been infected by a particular strain of malware that hijacks search results in order to drive users towards websites that use pay-per-click schemes."

Re:

[PopeRatzo]

I was once the victim of an Italian virus attack and it was a bejeezus of a chore to clean up after that one!

I got a virus when I was in France and it took three shots of penicillin to clean one that up.

Now that I think about it, the girl who gave me the virus had hairier than average legs, so she might have been Italian... I'm not saying she had hairy legs, but she had dandruff on her shoes.

Re:

[operagost]

You think viruses can be eradicated with antibiotics. That explains a lot about the quality of your posts.

Re:

[PopeRatzo]

You think viruses can be eradicated with antibiotics. That explains a lot about the quality of your posts.

I knew there had to be some explanation.

So, does that mean that gonorrhea is not caused by a virus? Or is it syphilis? Gee, the things you learn on Slashdot. Amazing the level of sexual knowledge among a segment of the population that has only had sex with plush wookie dolls.

 

Re:

[operagost]

When you find yourself in a hole, first you must stop digging. BTW... I'm married.

Proxy

[mwvdlee]

The malware works by redirecting search queries through a proxy. It should be easy for the proxy to just remove the warning or reroute it so Google can't identify the malware.

Re:

[Intron]

I'm sure this will start an arms race with the malware writers, but I still wouldn't bet against Google.

Re:

[alex67500]

Same here. As much as they don't want to "Do no evil", they're also pretty fond of their advertising revenue, which this malware is cutting them from. Somehow, I believe Googl-iath wins this one and David goes home with a sore head.

Re:

[macshit]

I'm sure this will start an arms race with the malware writers, but I still wouldn't bet against Google.

Indeed. Spam filtering of course started a similar arms race, but gmail spam filtering has become so good that spam long ago ceased to be an issue for me -- it's been months since I've seen a false negative or false positive (yes I do still check the spam folder sometimes, out of lingering habit), and my email address is all over the place.

Malware is probably a stickier issue of course, but as you say, it's always risky to bet against Google...

Re:

[jamesh]

The malware works by redirecting search queries through a proxy. It should be easy for the proxy to just remove the warning or reroute it so Google can't identify the malware.

It's just another leap in the perpetual game of leapfrog...

I do like the idea though.

Re:

[KiloByte]

It's trivial to remove javascript, and losing Instant is hardly noticeable. For Google, I'd try randomizing the page and the warning, so the proxy has a hard time parsing it. Change the randomization algorithm once in a while, too.

Re:

[gnick]

If it's being routed through a proxy, they don't even have to identify the warning. They just have to glean the results, adjust them to their liking, and recreate a reasonably google-like results page. I'm surprised the warnings ever got through in the first place.

Re:

[KiloByte]

No matter if you blacklist or whitelist parts to pass to the client, you still need to parse the page well enough. Randomizing the page might make it hard enough for the fuckhats to implement the parsing, and when they do, Google can make a small change to throw them off again.

Re:

[madhatter256]

Well it's not that easy, there is usually a virus/trojan that changes you back the proxy service once you disable it. So, you'll have to run some good antimalware scans.

You also want to check your lmhost file, too, and do a full DNS flush on the infected PC.

Re:

[nedlohs]

Which is completely irrelevant to the guys running the malware itself updating their proxy to filter the warning message out.

Re:

[maxume]

You really expect him to read your comment with comprehension turned on?

Easy enough to solve

[davidwr]

Simply don't return any valid URLs in the results if Google detects a poison proxy.

Even better, have all the URLs be http://www.microsoft.com/security/default.aspx [microsoft.com] or even better http://en.wikipedia.org/wiki/Linux [wikipedia.org] or to be slightly evil^H^H^H^H self-serving http://www.google.com/chromebook/ [google.com] .

Facepalm

[Bratmon]

The whole point is that the proxy removes Google's results entirely.

A friend of mine had this last week

[Nursie]

Nothing seemed to detect it or get rid of it, so she ended up reinstalling the whole OS. It doesn't sound like a particularly new idea, redirecting search, but the proxy aspect might be I suppose.

Re:

[elfprince13]

I haven't run into an infection yet that can't be gotten rid of with the Sysinternals suite. Usually takes me less than a half hour of work.

Re:

[Nursie]

While that's useful information to me, that wouldn't have helped her, as she's not a geek and was receiving remote advice from people via facebook...

Re:

[Bing Tsher E]

Was she a victim of the malware, then, or a victim of her own design?

Re:

[Servaas]

Indeed, I torch them everytime a worm or virus pops up.

Re:

[JamesTRexx]

We do the same thing here at our shop. Well.., not so much torch but reinstall. :-)
It's not so much that we couldn't get rid of a virus, but it's an insurance against claims that the machine wasn't clean when the customer gets it back.
It also takes away any worry from the customer about infected files left behind on the drive.

Re:

[kaizendojo]

I've run into this type of malware/scareware with clients and friends, and I've had a lot of success with the program "Unhackme" by Greatis Software link [greatis.com]. It's been pretty effective on malware and root kits and is reasonably priced, not to mention quick. It also works to prevent further infections by protecting the boot sector area.

Full disclosure - while I am a fan and recommend the program to others, I have no connection with the company or devs. Just trying to help.

Re:

[i kan reed]

1. Boot to safe mode
2. Purge all autoruns.
3. Reboot to normal mode.

Cleaning a windows PC without malware tools is usually really easy, except in the case of rootkits. This approach has the side effect of removing crap-ware installed by manufacturers.

Re:

[Riceballsan]

That works on 80% of non-rootkit assisted virus, you still have to factor in the 20% that can, A. Launch in safe mode, B. attach itself to other programs you are inevitably going to open, rather then entirely relying on startup, and that isn't even factoring in the very much increased rate of rootkit based infections as of late.

Re:

[GIL_Dude]

True, for the rest you simply boot to Windows PE from a USB Key or DVD and mount the host machine's registry and remove the offending entries (typically in services or the typical "run" keys. You can also delete the executables from the file system. Obviously the more experience you have doing this the easier it is to identify what to remove. If the machine is running BitLocker you will need the recovery key to use this method, but as long as you have the key it works fine.

Re:

[Qzukk]

Seems like I'm running across more and more stuff that hides in the Task Scheduler's "At log on" tasklist. Not many people seem to think to look there, and it doesn't appear to show up in a registry search (unless its one of those {21232f5a1-0b51-521... keys, instead of "task scheduler").

Re:

[_0xd0ad]

Task Scheduler tasks are files with a .job extension saved in C:\WINDOWS\TASKS.

Re:

[asdf7890]

Some of my family manage to get infections regularly. I've stopped doing even this three step process as I'm tired of trying to educate them to be careful. First I'll try the built in "system restore" feature and if that doesn't work (either because the restore points don't go back far enough, or we'd need to go too far back to be useful anyway, because the malware has managed to infect the restore point data too, or because it is rootkit aided (or similar) and gets around system restore that way) it is a b

Re:

[Anonymous Coward]

The malware adds entries into your HOSTS file.
(C:\windows\system32\drivers\etc\hosts)
You'll have to take ownership of the file.
(properties / security / advanced / owner)
Then edit it in notepad to remove the offending redirects.

The hosts file works like a static DNS look up table.
[hostname] [ip]
google.com 133.7.3.57

Re:

[stephathome]

My husband's computer had a virus along these lines a year or two ago, hijacking Google results, and that thing was tough to get rid of. Not a single malware scanner found it. I simply noticed because he complained his computer wasn't working right, and the usual scanner wasn't fixing it for him. Neither was any other scanner I tried, and I tried a bunch. Not one so much as detected it, but the changed search results showed that something was going on. I had to do a reinstall on his computer too.

Found it h

Re:

[Abstrackt]

Found it his computer probably got infected because he kept going back to a site his scanner warned him was infected, and he'd ignored the warning. *headdesk*

Hey, if it wasn't for people like that half of us wouldn't have jobs! ;)

(I'm a strong advocate for user education and attempt to do so every time I fix someone's system but I also have no qualms about taking their money when they ignore my advice time and time again)

Re:

[stephathome]

Too true. Especially if you don't learn after an infection or so, paying someone to fix it is just what you deserve. Malware's out there. Be ready to deal with it.

Awesome!

[abigsmurf]

I bet Malware authors are already copying these messages in order to trick people into installing scareware.

Re:

[locallyunscene]

I wish they had picked different wording. It's exactly the same as the pop ups you shouldn't click on.

Same as before.

[poofmeisterp]

Flashback, man.

This is almost 100% the same as the last piece of malware I was asked to remove from three peoples' machines over the course of a couple of months.

It was such a pain in the butt because I spent an hour manually cleaning the registry while using a live CD, looking for the newest modified-time files on the machine, looking for installed "Oh-I'm-so-cool" applications, browser extensions, system libs, etc etc etc.....

In the end, I find out that it was cleaned off after my first registry run key deletion session, but the damn proxy was set in both Mozilla and IE to a remote IP. Now, Proxy is one of the first things I check with there's ad-based or redirectional malware reported.

What's next?

Re:

[Anonymous Coward]

I've cleaned the same proxy off machines myself.

Then one of those machines got hit again, I figured it was the same thing - but all my fixes were still setup. Turned out it was a bogus firefox extension with a real-looking name that was doing all the redirection.

Somewhere in there there is a human proxy/redirect joke ...

Re:

[andytrevino]

The proxy setting will show up - and can be removed with 2 clicks - in a HijackThis [antivirus.com] report. While Trend Micro bought it and supposedly has changed something (not sure what...) HJT remains a useful tool for anyone combating malware and ransomware.

The Firefox extension AC replied about will show up in a log from ComboFix [bleepingcomputer.com] though CFX won't remove the proxy by itself at this point -- perusing a ComboFix log features loads of information about a system and its infections.

Re:

[TheEnigmaticToad]

Manually? UMAD?!?! HiJackThis is woefully out of date, don't bother with it. Use one of these: 1. http://www.geekstogo.com/forum/topic/277391-otl-tutorial-how-to-use-oldtimer-listit/ [geekstogo.com] 2. ComboFix - You'll have to enroll in a school to get the in-depth guide 3. AVZ - Includes a really powerful scripting ability. Each of the

Re:

[nedlohs]

I'm google is terrified of you blocking them and will now pass all their interfaces changes and feature changes to you for approval.

Re:

[Bing Tsher E]

I have to say this may be the arrogant fuck up that makes us look at blocking Google completely.

No, you're wrong. You will be the arrogant fuck up that blocks Google from your 'users.'

Just sayin'.

Re:

[poofmeisterp]

What in the heck does this complaint you have about Google have to do with the issue at hand?

Google opted to notify people when requests to them are coming from a malware-based proxy server as a nice tip to let people know when they should check their machine out.

They're not selling anything, they're not pushing you toward anything. They're just notifying you that something known-to-be-bad is happening.

Re:

[wadeal]

What in the heck does this complaint you have about Google have to do with the issue at hand?

That currently the Malware creators use very similar tactics to infect users (Popups advising the user is infected, Pages that look exactly like a Windows desktop with an infection popup etc). Users are told to close anything saying they have an infection for this reason.

That they didn't ask anyone if they even wanted this new "feature" like all the feature's they force down people throats (Preview, iGoogle Sidebar etc).

Re:

[poofmeisterp]

Ahhhh... Poor notification. Gotcha.

First thing that hits me is:

1. If you don't tell the proxy malware asses about it, people will get a nifty notification and it will open the eyes of a few not-so-smart ones.
2. If you DO tell people you're doing it, the proxy malware idiots will craft new malware and work around it using new IPs -or- just come up with a new method.

In the end, it's better that Google do nothing and let nature run its course on this. It will anyway. :)

Re:

[Anonymous Coward]

Clicking on the message to close it (clicking at all) is usually going to deliver the same payload as clicking "OK" --- them being simple image links to sites that will install something via an exploit, hell even seeing the fake warning could mean you're already infected (this stuff gets injected into pages via compromised ad providers, they can just as well embed a pdf/flash zero day and skip the 'clicking' step entirely).

Re:

[wadeal]

The message we try to give to users is close it, if you're not comfortable then call us (we do helpdesk support) and we'll jump on remotely and check for any infection.

Yes you're right, they're are plenty of times an infection can't be avoided, but there are time when it can be simply by hitting the X in the top right corner.

Re:

[wadeal]

Shared PCs used by Nurses (We support primarily aged care computer systems) to enter data into whatever software or browser based solution the customer use. There's definitely a need for control of what software is installed. But due to other users that require more access (Lifestyle, Managers) and a few lazy customers that refuse to move to individual accounts we have to basically allow most content through and block installation of any software (Yes we should be using a solution like SteadyState or DeepFr

Re:

[Riceballsan]

Well playing devil's advocate here, you could be infected by a lesser payload. Say a virus is in 2 parts, 1. weak part that installs at user level, with user access rights, installs itself simply by loading an infected page etc... but lacks the ability to take admin rights on a system, Part 2. Master rootkit, requires user to grant admin rights for it to get in and dig deep. even with no admin rights, part 1 still has the power to run your browser through a proxy, and inject itself onto webpages as well as

Re:

[wadeal]

What I'm not talking about is what's the better browser. I use Chrome half the time, I love it. But for a corporate environment with many users sharing PCs and you require management of hundred's of PCs you use IE.

Re:

[MadMaverick9]

http://www.google.com/apps/intl/en/business/chromebrowser.html [google.com]

Easy administration

Deploy Chrome across your organization using the MSI installer. Control updates and customize your Chrome deployment with support for managed group policy and authentication protocols.

Friday Night VIrus Fight

[Matt.Battey]

I picked up that strain on my desktop PC Friday night. Weirdest thing. It started out by popping up a window (that I thought was Windows Defender) indicating I had a trojan. Might have even have been from Defender, it would close right away... Anyway, I started with safe-mode boot, Ad-Aware and Spybot, no dice. I ended up installing Norton Network Security, and it couldn't find it. I had to run Norton Power Eraser. Crazy. A commercial virus scanner that can't find viruses.

It installs itself in the MBR as a root kit, the proxy may even be local on the pc, downloaded on start-up.

I seem to be infected with something like this

[scharkalvin]

When I click on a Google search result I usually don't get there anymore, and my antivirus software (malware bytes) reports that it blocked an outgoing request to a website and gives the IP address. Sometimes I'm redirected without malwarebytes blocking the request and end up in another search engine. Once it was Bing!
Malwarebytes can't seem to remove WTF is going on. Oh and I don't get a Google popup either.

Even more helpful would be...

[s31523]

A link to a tool or instructions on how to remove the darn thing! I have been hit by some form of google re-direct twice and the last time I just gave up an re-formatted the hard-drive (it was due for a clean Windowz install anyway).