Slashdot Mirror
Google Warns Users About Active Malware Infection
dinscott writes "Google has begun notifying its users that a particular piece of malware is installed on their computers by showing a big yellow notification above their search results. The warning begun popping up yesterday, and does so only for users whose computers have been infected by a particular strain of malware that hijacks search results in order to drive users towards websites that use pay-per-click schemes."
The malware works by redirecting search queries through a proxy. It should be easy for the proxy to just remove the warning or reroute it so Google can't identify the malware.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
Nothing seemed to detect it or get rid of it, so she ended up reinstalling the whole OS. It doesn't sound like a particularly new idea, redirecting search, but the proxy aspect might be I suppose.
I bet Malware authors are already copying these messages in order to trick people into installing scareware.
This typically was referred to as the "Scour" virus. The current definitions of Malwarbytes will nuke it pretty well.
Flashback, man.
This is almost 100% the same as the last piece of malware I was asked to remove from three peoples' machines over the course of a couple of months.
It was such a pain in the butt because I spent an hour manually cleaning the registry while using a live CD, looking for the newest modified-time files on the machine, looking for installed "Oh-I'm-so-cool" applications, browser extensions, system libs, etc etc etc.....
In the end, I find out that it was cleaned off after my first registry run key deletion session, but the damn proxy was set in both Mozilla and IE to a remote IP. Now, Proxy is one of the first things I check with there's ad-based or redirectional malware reported.
What's next?
You mean exactly what creators of Malware do today to scare users into installing malicious software??? We've tried to train users for YEARS to instantly close anything saying they have a virus (any infection is reported silently back to us by the AV). This is beyond a joke by Google. Yet another thing no one asked for, they didn't ask the community if they wanted it. After having to install software restrictions to block Chrome, Google Toolbar, Google Sidebar (wtf), Google Desktop Search as well as locking down IE to stop Google changing preferences I have to say this may be the arrogant fuck up that makes us look at blocking Google completely.
I'm google is terrified of you blocking them and will now pass all their interfaces changes and feature changes to you for approval.
I have to say this may be the arrogant fuck up that makes us look at blocking Google completely.
No, you're wrong. You will be the arrogant fuck up that blocks Google from your 'users.'
Just sayin'.
I got a virus when I was in France and it took three shots of penicillin to clean one that up.
Now that I think about it, the girl who gave me the virus had hairier than average legs, so she might have been Italian... I'm not saying she had hairy legs, but she had dandruff on her shoes.
You are welcome on my lawn.
What in the heck does this complaint you have about Google have to do with the issue at hand?
Google opted to notify people when requests to them are coming from a malware-based proxy server as a nice tip to let people know when they should check their machine out.
They're not selling anything, they're not pushing you toward anything. They're just notifying you that something known-to-be-bad is happening.
Clicking on the message to close it (clicking at all) is usually going to deliver the same payload as clicking "OK" --- them being simple image links to sites that will install something via an exploit, hell even seeing the fake warning could mean you're already infected (this stuff gets injected into pages via compromised ad providers, they can just as well embed a pdf/flash zero day and skip the 'clicking' step entirely).
After having to install software restrictions to block Chrome,
Why would you block this or any browser?
Remind me not to come work for your company
What in the heck does this complaint you have about Google have to do with the issue at hand?
That currently the Malware creators use very similar tactics to infect users (Popups advising the user is infected, Pages that look exactly like a Windows desktop with an infection popup etc). Users are told to close anything saying they have an infection for this reason.
That they didn't ask anyone if they even wanted this new "feature" like all the feature's they force down people throats (Preview, iGoogle Sidebar etc).
Google doesn't run banner ads on its pages, so yes, any banner ad on their site should be an immediate warning that either you're infected with something, or Google got hacked. Guess which is more likely.
The message we try to give to users is close it, if you're not comfortable then call us (we do helpdesk support) and we'll jump on remotely and check for any infection.
Yes you're right, they're are plenty of times an infection can't be avoided, but there are time when it can be simply by hitting the X in the top right corner.
You're talking about IE and Google is the fuck up? bwahaha. You slay me, sir.
Shared PCs used by Nurses (We support primarily aged care computer systems) to enter data into whatever software or browser based solution the customer use. There's definitely a need for control of what software is installed. But due to other users that require more access (Lifestyle, Managers) and a few lazy customers that refuse to move to individual accounts we have to basically allow most content through and block installation of any software (Yes we should be using a solution like SteadyState or DeepFreeze but that hasn't happened for various reasons) using policy.
You think viruses can be eradicated with antibiotics. That explains a lot about the quality of your posts.
Gamingmuseum.com: Give your 3D accelerator a rest.
What I'm not talking about is what's the better browser. I use Chrome half the time, I love it. But for a corporate environment with many users sharing PCs and you require management of hundred's of PCs you use IE.
I picked up that strain on my desktop PC Friday night. Weirdest thing. It started out by popping up a window (that I thought was Windows Defender) indicating I had a trojan. Might have even have been from Defender, it would close right away... Anyway, I started with safe-mode boot, Ad-Aware and Spybot, no dice. I ended up installing Norton Network Security, and it couldn't find it. I had to run Norton Power Eraser. Crazy. A commercial virus scanner that can't find viruses.
It installs itself in the MBR as a root kit, the proxy may even be local on the pc, downloaded on start-up.
Ahhhh... Poor notification. Gotcha.
First thing that hits me is:
1. If you don't tell the proxy malware asses about it, people will get a nifty notification and it will open the eyes of a few not-so-smart ones.
2. If you DO tell people you're doing it, the proxy malware idiots will craft new malware and work around it using new IPs -or- just come up with a new method.
In the end, it's better that Google do nothing and let nature run its course on this. It will anyway. :)
That would be home made Kombucha.
The search results (except yahoo) were mauled by paid placement schemes long ago, before the terroristic redirecting malware was even thought of. thanks for the 'warning' anyway?
Well playing devil's advocate here, you could be infected by a lesser payload. Say a virus is in 2 parts, 1. weak part that installs at user level, with user access rights, installs itself simply by loading an infected page etc... but lacks the ability to take admin rights on a system, Part 2. Master rootkit, requires user to grant admin rights for it to get in and dig deep. even with no admin rights, part 1 still has the power to run your browser through a proxy, and inject itself onto webpages as well as block filter and control what pages you go to. In other words part 1 could inject an advertisement onto the version of google you see, give you a link to a "trusted" provider, even make that "trusted" provider show up as norton, microsoft, google or whatever they feel like in the address bar for you, and 95% of users would give whatever program they are getting admin rights to install.
Simply don't return any valid URLs in the results if Google detects a poison proxy.
Even better, have all the URLs be http://www.microsoft.com/security/default.aspx or even better http://en.wikipedia.org/wiki/Linux or to be slightly evil^H^H^H^H self-serving http://www.google.com/chromebook/ .
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I knew there had to be some explanation.
So, does that mean that gonorrhea is not caused by a virus? Or is it syphilis? Gee, the things you learn on Slashdot. Amazing the level of sexual knowledge among a segment of the population that has only had sex with plush wookie dolls.
You are welcome on my lawn.
must...block...most..secure..browser...
You use IE6?
"Yet another thing no one asked for, they didn't ask the community if they wanted it" Wanted what? You mean to know your computer is infected? You're right, I should never ask for someone to help. Screw open source. /sarcasm
Maybe you want Google to call people instead of notifying them via their browser? But really, what is your "better" way to notify the user that they have an infection? Don't say "don't", because not every home user has an IT office that manages their computer for them.
When I click on a Google search result I usually don't get there anymore, and my antivirus software (malware bytes) reports that it blocked an outgoing request to a website and gives the IP address. Sometimes I'm redirected without malwarebytes blocking the request and end up in another search engine. Once it was Bing!
Malwarebytes can't seem to remove WTF is going on. Oh and I don't get a Google popup either.
The whole point is that the proxy removes Google's results entirely.
A link to a tool or instructions on how to remove the darn thing! I have been hit by some form of google re-direct twice and the last time I just gave up an re-formatted the hard-drive (it was due for a clean Windowz install anyway).
Easy administration
Deploy Chrome across your organization using the MSI installer. Control updates and customize your Chrome deployment with support for managed group policy and authentication protocols.
Both gonorrhea and syphilis are bacterial infections. He was merely pointing out that you originally mentioned using antibiotics with a virus. (Yes, the poster was a bit snarky about it.)
When you find yourself in a hole, first you must stop digging. BTW... I'm married.
Gamingmuseum.com: Give your 3D accelerator a rest.
I HAVE THIS! I have been using the secure one, encrpted.google.com, because every time i searched for something, it took me to another website, something completely unrelated to my search.
I tried going to google, but i didn't see the warning. does anyone know where they send you if you click on the link?
That wasn't dandruff on her shoes. That was the blizzard of a drying yeast infection. You should've built a snowman.
kaspersky has a nice cleaner for the google redirect - variant of the TDSS rootkit...it's in the MBR and causes a LOT of headaches
Fixmbr command to reset your MBR$ to a valid one that's not infected/infested!
So - boot up via CD/DVD of the Windows install media, which is read-only, & refresh the bootsector...
NOW, if this thing's like "the indestructable rookit/botnet" was?
You MAY wish to:
1.) Patrol the list of installed drivers &/or services via the Recovery Console's listsvc command (using GOOGLE or BING if need be for ones you don't know "offhand" (bogus ones usually don't have a descriptive field though in the listsvc outputs (some valid ones are that way too though, so... be aware of that much also))).
2.) Then, once you find the bogus driver, IF there is one (such as hello_tt.sys)? Shut it down via the disable command (which shuts down services AND DRIVERS from loading).
3.) Reboot to RC again on DVD/CD Windows install media (read only inviolate is why)
4.) Refresh the bootsector them (once the rootkit MBR$ & protective driver are gone) & use fixmbr for a new bootsector (and then, all SHOULD be "ok").
* Provided that the driver itself does NOT protect the registry area that disable affects (because it does NOT take effect until next bootup & if a driver for a rootkit's designed to not only protect the bootsector, but also the registry load area for said bogus driver too).
APK
P.S.=> Again, to stress the proper order for this:
In the case of an MBR$ originated rootkit protected by a driver, you have to do this order for it to work:
---
1.) Bootup via Windows install media from DVD/CD (read only inviolate environs, so you have a valid bootsector)
2.) Do the listsvc "patrolling/scanning"
3.) Execute disable vs. any bogus drivers once verified thus (or, if you don't get a VALID KNOWN RESULT).
4.) Reboot to Recovery Console again
5.) Use the fixmbr command to refresh the HDD's bootsector with a valid one
---
* DONE!
... apk
"Trojan-Driver" file, & you can determine WHICH ONE it is first of course?
(Usually that'd be atapi.sys or disk.sys because of the nature of what they do, disk or CD/DVD oriented I/O)
You can then use the COPY command from Recovery Console to OVERWRITE replace the bogus one either from drivers from the OEM install Windows media on CD/DVD, or, from a copy of an updated real driver from MS on a CD copy you made... per instructions below!
(Don't worry - Drivers do NOT PAGE THEMSELVES once in memory, like ordinary executables do (which is WHY folks see Windows paging still, even IF no pagefile.sys is present when monitoring for paging activities))
Thus, it should not be "locked vs. access" @ that point - that is, unless it has been programmed to PROTECT ITSELF vs. overwrite, or protecting not only say, the bogus MBR$, but also its registry driver init. areas... this will make them pretty much, TRULY, "indestructable, imo!
Anyhow/anyways - You can copy clean drivers, from 2 places:
---
1.) The Windows Installation media itself (again, which is read only inviolate), because it has the ORIGINAL OEM versions of these files
or
2.) Better still, extracting the newest models out of Service Pack patch files that have the updated ones placing them onto another CD for overwrite replacement of bogus patched trojan drivers - yes, you CAN do this, because the RC allows for default access to the CD/DVD, %SystemRoot%/%WinDir% by default - & you can set that to be more folders via secpol.msc/gpedit.msc also
---
* And, "there ya go"... as far as even defeating bogusly trojan driver file patch based rootkits too!
Between THIS here, and my last post here before this one:
http://it.slashdot.org/comments.pl?sid=2338764&cid=36829398
You SHOULD be "all set" vs. rootkits & how to combat them, & with tools you already own too (bonus)!
(Again - The ONLY fear(s) I have are trojan rootkit drivers that protects registry driver loads/initializations areas, &/or protecting themselves from overwrite)
However - I haven't seen that, not YET @ least, but... if it happens? "HOUSTON WE HAVE A PROBLEM!" (& it's "nuke it from orbit" @ that point quite possibly!)
APK
P.S.=> Yes - The Service Pack updates files can be opened with WinRar for example, OR, they often have "switches" that allow for in-place extraction - then, copy/burn them to 2nd extra CD for the task @ hand here!
(This IS the "preferred route", again, as it is read only inviolate)
So - @ that point, you can use the Recovery Console COPY command to replace any "bogusly patched" trojan driver files!
... apk
From the Windows installation media (a read-only environs):
---
RC Bootup & fixmbr to refresh MBR$ (master boot record & bootsector):
http://it.slashdot.org/comments.pl?sid=2338764&cid=36829398
&/or
Method for patching "bogus trojan driver files" as well (IF this method is employed as well in combination with the above):
http://it.slashdot.org/comments.pl?sid=2338764&cid=36833228
---
That's in response to your reply here:
"Note: I would recommend a windows CD for people who don't use linux or can't find the right tools, but I don't know of any such flavor of windows and don't care to see if one exists. What you're looking for is an OS that can be burned onto a write-once CD or DVD, and does not require an install." - by Anonymous Coward on Thursday July 21, @08:37AM (#36833436)
The ONLY problem w/ using Linux?
Is IF you have to redo the bootsector &/or MBR$ for Windows, especially Windows VISTA/7/Server 2008, + if needed, driver replacement AFTER identifying the "bogus trojan possible culprit"...
I.E.-> I am NOT 100% sure Linux will work on the new bootsector & boot format (no boot.ini) on the newer Windows types is all... correct me here IF necessary, I can always learn a new thing too!
---
ANYHOW/ANYWAYS:
In fact, I used the 1st URL's tactics vs. "the indestructible rootkit" a few weeks ago, & it works!
http://it.slashdot.org/comments.pl?sid=2282088&cid=36621818
---
So - Would your suggestion, using a Linux distro, work?
Possibly... just a bit more hassles due to identification of possible culprit/suspects, IF it is an "MBR$ protecting rootkit" variant that uses drivers to do so
AND
Not sure here IF Linux's tools will work as bcedit does for the most modern Windows types, VISTA onwards is all!
---
* "Blended-Threat" rootkits/botnets, running in both Ring 0/RPL 0/KernelMode + Ring 3/RPL 3/Usermode, suck...
(Imo @ least? Well - They're the WORST TYPE to get rid of, especially if you have to non-destructively... but, it IS doable! You just have to understand HOW they work is all, like any problem, in order to manage, control, OR DESTROY it?? You have to understand its mechanics, first!)
APK
P.S.=> Those methods will work, & yes, I've used them myself, for non-destructive removal of rootkits!
Now - To "mop up" ANY ring3/rpl3/usermode malware they may "haul in" also, which the "indestructible rootkit/botnet" did for example?
Well... ProcessExplorer works!
(With DLL view mode pane enabled, to see if any running processes or services are bogus, as well as being "hooked" via bogus lib/dll injections)
See - because once you "knock-the-chocolate" out of the rootkit running in Ring 0/RPL 0/kernelmode?? Nothing can deceive ProcessExplorer (via API call intercepts), & IT CAN SEE INTO ANYTHING IN USERMODE!
Yes, even a program loaded into memory - an almost "in-memory disassembly/dump" is possible too...
Yes - it's a "never fail" tool vs. signatures-based antivirus programs when their ID & remove methods fail or don't exist... (& their heuristics too, which do get "false positives" also @ times + are NOT set "on by default" or "to-the-max" by default usually either))
... apk