Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Warns Users About Active Malware Infection

Posted by CmdrTaco on from the hooray-i'm-clean dept.

dinscott writes "Google has begun notifying its users that a particular piece of malware is installed on their computers by showing a big yellow notification above their search results. The warning begun popping up yesterday, and does so only for users whose computers have been infected by a particular strain of malware that hijacks search results in order to drive users towards websites that use pay-per-click schemes."

53 of 80 comments (clear)

  1. Proxy by mwvdlee · · Score: 5, Insightful

    The malware works by redirecting search queries through a proxy. It should be easy for the proxy to just remove the warning or reroute it so Google can't identify the malware.

    --
    Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
    1. Re:Proxy by Intron · · Score: 1

      I'm sure this will start an arms race with the malware writers, but I still wouldn't bet against Google.

      --
      Intron: the portion of DNA which expresses nothing useful.
    2. Re:Proxy by jamesh · · Score: 1

      The malware works by redirecting search queries through a proxy. It should be easy for the proxy to just remove the warning or reroute it so Google can't identify the malware.

      It's just another leap in the perpetual game of leapfrog...

      I do like the idea though.

    3. Re:Proxy by madhatter256 · · Score: 1

      Well it's not that easy, there is usually a virus/trojan that changes you back the proxy service once you disable it. So, you'll have to run some good antimalware scans.

      You also want to check your lmhost file, too, and do a full DNS flush on the infected PC.

      --
      Previewing comments are for sissies!
    4. Re:Proxy by alex67500 · · Score: 1

      Same here. As much as they don't want to "Do no evil", they're also pretty fond of their advertising revenue, which this malware is cutting them from. Somehow, I believe Googl-iath wins this one and David goes home with a sore head.

    5. Re:Proxy by nedlohs · · Score: 1

      Which is completely irrelevant to the guys running the malware itself updating their proxy to filter the warning message out.

    6. Re:Proxy by maxume · · Score: 1

      You really expect him to read your comment with comprehension turned on?

      --
      Nerd rage is the funniest rage.
    7. Re:Proxy by KiloByte · · Score: 1

      It's trivial to remove javascript, and losing Instant is hardly noticeable. For Google, I'd try randomizing the page and the warning, so the proxy has a hard time parsing it. Change the randomization algorithm once in a while, too.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    8. Re:Proxy by gnick · · Score: 1

      If it's being routed through a proxy, they don't even have to identify the warning. They just have to glean the results, adjust them to their liking, and recreate a reasonably google-like results page. I'm surprised the warnings ever got through in the first place.

      --
      He's getting rather old, but he's a good mouse.
    9. Re:Proxy by macshit · · Score: 1

      I'm sure this will start an arms race with the malware writers, but I still wouldn't bet against Google.

      Indeed. Spam filtering of course started a similar arms race, but gmail spam filtering has become so good that spam long ago ceased to be an issue for me -- it's been months since I've seen a false negative or false positive (yes I do still check the spam folder sometimes, out of lingering habit), and my email address is all over the place.

      Malware is probably a stickier issue of course, but as you say, it's always risky to bet against Google...

      --
      We live, as we dream -- alone....
    10. Re:Proxy by KiloByte · · Score: 1

      No matter if you blacklist or whitelist parts to pass to the client, you still need to parse the page well enough. Randomizing the page might make it hard enough for the fuckhats to implement the parsing, and when they do, Google can make a small change to throw them off again.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
  2. A friend of mine had this last week by Nursie · · Score: 1

    Nothing seemed to detect it or get rid of it, so she ended up reinstalling the whole OS. It doesn't sound like a particularly new idea, redirecting search, but the proxy aspect might be I suppose.

    1. Re:A friend of mine had this last week by elfprince13 · · Score: 1

      I haven't run into an infection yet that can't be gotten rid of with the Sysinternals suite. Usually takes me less than a half hour of work.

    2. Re:A friend of mine had this last week by Nursie · · Score: 1

      While that's useful information to me, that wouldn't have helped her, as she's not a geek and was receiving remote advice from people via facebook...

    3. Re:A friend of mine had this last week by Bing+Tsher+E · · Score: 1

      Was she a victim of the malware, then, or a victim of her own design?

    4. Re:A friend of mine had this last week by Servaas · · Score: 1

      Indeed, I torch them everytime a worm or virus pops up.

    5. Re:A friend of mine had this last week by kaizendojo · · Score: 1

      I've run into this type of malware/scareware with clients and friends, and I've had a lot of success with the program "Unhackme" by Greatis Software link. It's been pretty effective on malware and root kits and is reasonably priced, not to mention quick. It also works to prevent further infections by protecting the boot sector area.

      Full disclosure - while I am a fan and recommend the program to others, I have no connection with the company or devs. Just trying to help.

    6. Re:A friend of mine had this last week by i+kan+reed · · Score: 1

      1. Boot to safe mode
      2. Purge all autoruns.
      3. Reboot to normal mode.

      Cleaning a windows PC without malware tools is usually really easy, except in the case of rootkits. This approach has the side effect of removing crap-ware installed by manufacturers.

    7. Re:A friend of mine had this last week by Anonymous Coward · · Score: 1

      The malware adds entries into your HOSTS file.
      (C:\windows\system32\drivers\etc\hosts)
      You'll have to take ownership of the file.
      (properties / security / advanced / owner)
      Then edit it in notepad to remove the offending redirects.

      The hosts file works like a static DNS look up table.
      [hostname] [ip]
      google.com 133.7.3.57

    8. Re:A friend of mine had this last week by Riceballsan · · Score: 1

      That works on 80% of non-rootkit assisted virus, you still have to factor in the 20% that can, A. Launch in safe mode, B. attach itself to other programs you are inevitably going to open, rather then entirely relying on startup, and that isn't even factoring in the very much increased rate of rootkit based infections as of late.

    9. Re:A friend of mine had this last week by stephathome · · Score: 1

      My husband's computer had a virus along these lines a year or two ago, hijacking Google results, and that thing was tough to get rid of. Not a single malware scanner found it. I simply noticed because he complained his computer wasn't working right, and the usual scanner wasn't fixing it for him. Neither was any other scanner I tried, and I tried a bunch. Not one so much as detected it, but the changed search results showed that something was going on. I had to do a reinstall on his computer too.

      Found it his computer probably got infected because he kept going back to a site his scanner warned him was infected, and he'd ignored the warning. *headdesk* I think he knows better than to make that mistake again, but there are reasons why I don't like him using my computer. You'd think the previous discussions we'd had about malware would be enough... I hope he finally has that lesson down.

      Going to have to keep that Sysinternals suite mentioned elsewhere in mind. He's not the only problem child in the family, although I have most relatives pretty well trained now.

    10. Re:A friend of mine had this last week by Abstrackt · · Score: 1

      Found it his computer probably got infected because he kept going back to a site his scanner warned him was infected, and he'd ignored the warning. *headdesk*

      Hey, if it wasn't for people like that half of us wouldn't have jobs! ;)

      (I'm a strong advocate for user education and attempt to do so every time I fix someone's system but I also have no qualms about taking their money when they ignore my advice time and time again)

      --
      They say a little knowledge is a dangerous thing, but it's not one half so bad as a lot of ignorance. - Terry Pratchett
    11. Re:A friend of mine had this last week by GIL_Dude · · Score: 1

      True, for the rest you simply boot to Windows PE from a USB Key or DVD and mount the host machine's registry and remove the offending entries (typically in services or the typical "run" keys. You can also delete the executables from the file system. Obviously the more experience you have doing this the easier it is to identify what to remove. If the machine is running BitLocker you will need the recovery key to use this method, but as long as you have the key it works fine.

    12. Re:A friend of mine had this last week by JamesTRexx · · Score: 1

      We do the same thing here at our shop. Well.., not so much torch but reinstall. :-)
      It's not so much that we couldn't get rid of a virus, but it's an insurance against claims that the machine wasn't clean when the customer gets it back.
      It also takes away any worry from the customer about infected files left behind on the drive.

      --
      home
    13. Re:A friend of mine had this last week by asdf7890 · · Score: 1

      Some of my family manage to get infections regularly. I've stopped doing even this three step process as I'm tired of trying to educate them to be careful. First I'll try the built in "system restore" feature and if that doesn't work (either because the restore points don't go back far enough, or we'd need to go too far back to be useful anyway, because the malware has managed to infect the restore point data too, or because it is rootkit aided (or similar) and gets around system restore that way) it is a boot sector wipe and full OS reinstall I make them explicitly state that they've got a backup of their important data before they hand me the machine, of course.

      It is amazing how much more careful people become when they know the only fix is likely to be a refresh which means reinstalling all their games and crap afterwards.

    14. Re:A friend of mine had this last week by Qzukk · · Score: 1

      Seems like I'm running across more and more stuff that hides in the Task Scheduler's "At log on" tasklist. Not many people seem to think to look there, and it doesn't appear to show up in a registry search (unless its one of those {21232f5a1-0b51-521... keys, instead of "task scheduler").

      --
      If I have been able to see further than others, it is because I bought a pair of binoculars.
    15. Re:A friend of mine had this last week by _0xd0ad · · Score: 1

      Task Scheduler tasks are files with a .job extension saved in C:\WINDOWS\TASKS.

    16. Re:A friend of mine had this last week by stephathome · · Score: 1

      Too true. Especially if you don't learn after an infection or so, paying someone to fix it is just what you deserve. Malware's out there. Be ready to deal with it.

  3. Awesome! by abigsmurf · · Score: 4, Insightful

    I bet Malware authors are already copying these messages in order to trick people into installing scareware.

    1. Re:Awesome! by locallyunscene · · Score: 1

      I wish they had picked different wording. It's exactly the same as the pop ups you shouldn't click on.

  4. Same as before. by poofmeisterp · · Score: 4, Informative

    Flashback, man.

    This is almost 100% the same as the last piece of malware I was asked to remove from three peoples' machines over the course of a couple of months.

    It was such a pain in the butt because I spent an hour manually cleaning the registry while using a live CD, looking for the newest modified-time files on the machine, looking for installed "Oh-I'm-so-cool" applications, browser extensions, system libs, etc etc etc.....

    In the end, I find out that it was cleaned off after my first registry run key deletion session, but the damn proxy was set in both Mozilla and IE to a remote IP. Now, Proxy is one of the first things I check with there's ad-based or redirectional malware reported.

    What's next?

    1. Re:Same as before. by Anonymous Coward · · Score: 1

      I've cleaned the same proxy off machines myself.

      Then one of those machines got hit again, I figured it was the same thing - but all my fixes were still setup. Turned out it was a bogus firefox extension with a real-looking name that was doing all the redirection.

      Somewhere in there there is a human proxy/redirect joke ...

    2. Re:Same as before. by andytrevino · · Score: 1

      The proxy setting will show up - and can be removed with 2 clicks - in a HijackThis report. While Trend Micro bought it and supposedly has changed something (not sure what...) HJT remains a useful tool for anyone combating malware and ransomware.

      The Firefox extension AC replied about will show up in a log from ComboFix though CFX won't remove the proxy by itself at this point -- perusing a ComboFix log features loads of information about a system and its infections.

    3. Re:Same as before. by TheEnigmaticToad · · Score: 1

      Manually? UMAD?!?! HiJackThis is woefully out of date, don't bother with it. Use one of these: 1. http://www.geekstogo.com/forum/topic/277391-otl-tutorial-how-to-use-oldtimer-listit/ 2. ComboFix - You'll have to enroll in a school to get the in-depth guide 3. AVZ - Includes a really powerful scripting ability. Each of the

  5. Re:Like those fake warnings we tell people to clos by Bing+Tsher+E · · Score: 1

    I have to say this may be the arrogant fuck up that makes us look at blocking Google completely.

    No, you're wrong. You will be the arrogant fuck up that blocks Google from your 'users.'

    Just sayin'.

  6. Re:Good for Google! by PopeRatzo · · Score: 1, Offtopic

    I was once the victim of an Italian virus attack and it was a bejeezus of a chore to clean up after that one!

    I got a virus when I was in France and it took three shots of penicillin to clean one that up.

    Now that I think about it, the girl who gave me the virus had hairier than average legs, so she might have been Italian... I'm not saying she had hairy legs, but she had dandruff on her shoes.

    --
    You are welcome on my lawn.
  7. Re:Like those fake warnings we tell people to clos by poofmeisterp · · Score: 1

    What in the heck does this complaint you have about Google have to do with the issue at hand?

    Google opted to notify people when requests to them are coming from a malware-based proxy server as a nice tip to let people know when they should check their machine out.

    They're not selling anything, they're not pushing you toward anything. They're just notifying you that something known-to-be-bad is happening.

  8. Re:Like those fake warnings we tell people to clos by Anonymous Coward · · Score: 1

    Clicking on the message to close it (clicking at all) is usually going to deliver the same payload as clicking "OK" --- them being simple image links to sites that will install something via an exploit, hell even seeing the fake warning could mean you're already infected (this stuff gets injected into pages via compromised ad providers, they can just as well embed a pdf/flash zero day and skip the 'clicking' step entirely).

  9. Re:Like those fake warnings we tell people to clos by wadeal · · Score: 1

    What in the heck does this complaint you have about Google have to do with the issue at hand?

    That currently the Malware creators use very similar tactics to infect users (Popups advising the user is infected, Pages that look exactly like a Windows desktop with an infection popup etc). Users are told to close anything saying they have an infection for this reason.

    That they didn't ask anyone if they even wanted this new "feature" like all the feature's they force down people throats (Preview, iGoogle Sidebar etc).

  10. Re:Like those fake warnings we tell people to clos by wadeal · · Score: 2

    The message we try to give to users is close it, if you're not comfortable then call us (we do helpdesk support) and we'll jump on remotely and check for any infection.

    Yes you're right, they're are plenty of times an infection can't be avoided, but there are time when it can be simply by hitting the X in the top right corner.

  11. Re:Like those fake warnings we tell people to clos by wadeal · · Score: 2

    Shared PCs used by Nurses (We support primarily aged care computer systems) to enter data into whatever software or browser based solution the customer use. There's definitely a need for control of what software is installed. But due to other users that require more access (Lifestyle, Managers) and a few lazy customers that refuse to move to individual accounts we have to basically allow most content through and block installation of any software (Yes we should be using a solution like SteadyState or DeepFreeze but that hasn't happened for various reasons) using policy.

  12. Re:Good for Google! by operagost · · Score: 1

    You think viruses can be eradicated with antibiotics. That explains a lot about the quality of your posts.

    --

    Gamingmuseum.com: Give your 3D accelerator a rest.
  13. Re:Like those fake warnings we tell people to clos by wadeal · · Score: 1

    What I'm not talking about is what's the better browser. I use Chrome half the time, I love it. But for a corporate environment with many users sharing PCs and you require management of hundred's of PCs you use IE.

  14. Friday Night VIrus Fight by Matt.Battey · · Score: 3, Informative

    I picked up that strain on my desktop PC Friday night. Weirdest thing. It started out by popping up a window (that I thought was Windows Defender) indicating I had a trojan. Might have even have been from Defender, it would close right away... Anyway, I started with safe-mode boot, Ad-Aware and Spybot, no dice. I ended up installing Norton Network Security, and it couldn't find it. I had to run Norton Power Eraser. Crazy. A commercial virus scanner that can't find viruses.

    It installs itself in the MBR as a root kit, the proxy may even be local on the pc, downloaded on start-up.

  15. Re:Like those fake warnings we tell people to clos by poofmeisterp · · Score: 1

    Ahhhh... Poor notification. Gotcha.

    First thing that hits me is:

    1. If you don't tell the proxy malware asses about it, people will get a nifty notification and it will open the eyes of a few not-so-smart ones.
    2. If you DO tell people you're doing it, the proxy malware idiots will craft new malware and work around it using new IPs -or- just come up with a new method.

    In the end, it's better that Google do nothing and let nature run its course on this. It will anyway. :)

  16. Re:Like those fake warnings we tell people to clos by Riceballsan · · Score: 1

    Well playing devil's advocate here, you could be infected by a lesser payload. Say a virus is in 2 parts, 1. weak part that installs at user level, with user access rights, installs itself simply by loading an infected page etc... but lacks the ability to take admin rights on a system, Part 2. Master rootkit, requires user to grant admin rights for it to get in and dig deep. even with no admin rights, part 1 still has the power to run your browser through a proxy, and inject itself onto webpages as well as block filter and control what pages you go to. In other words part 1 could inject an advertisement onto the version of google you see, give you a link to a "trusted" provider, even make that "trusted" provider show up as norton, microsoft, google or whatever they feel like in the address bar for you, and 95% of users would give whatever program they are getting admin rights to install.

  17. Easy enough to solve by davidwr · · Score: 1

    Simply don't return any valid URLs in the results if Google detects a poison proxy.

    Even better, have all the URLs be http://www.microsoft.com/security/default.aspx or even better http://en.wikipedia.org/wiki/Linux or to be slightly evil^H^H^H^H self-serving http://www.google.com/chromebook/ .

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  18. Re:Good for Google! by PopeRatzo · · Score: 1

    You think viruses can be eradicated with antibiotics. That explains a lot about the quality of your posts.

    I knew there had to be some explanation.

    So, does that mean that gonorrhea is not caused by a virus? Or is it syphilis? Gee, the things you learn on Slashdot. Amazing the level of sexual knowledge among a segment of the population that has only had sex with plush wookie dolls.

     

    --
    You are welcome on my lawn.
  19. I seem to be infected with something like this by scharkalvin · · Score: 1

    When I click on a Google search result I usually don't get there anymore, and my antivirus software (malware bytes) reports that it blocked an outgoing request to a website and gives the IP address. Sometimes I'm redirected without malwarebytes blocking the request and end up in another search engine. Once it was Bing!
    Malwarebytes can't seem to remove WTF is going on. Oh and I don't get a Google popup either.

  20. Facepalm by Bratmon · · Score: 1

    The whole point is that the proxy removes Google's results entirely.

  21. Even more helpful would be... by s31523 · · Score: 1

    A link to a tool or instructions on how to remove the darn thing! I have been hit by some form of google re-direct twice and the last time I just gave up an re-formatted the hard-drive (it was due for a clean Windowz install anyway).

  22. Re:Like those fake warnings we tell people to clos by MadMaverick9 · · Score: 1
    http://www.google.com/apps/intl/en/business/chromebrowser.html

    Easy administration

    Deploy Chrome across your organization using the MSI installer. Control updates and customize your Chrome deployment with support for managed group policy and authentication protocols.

  23. Re:Good for Google! by operagost · · Score: 1

    When you find yourself in a hole, first you must stop digging. BTW... I'm married.

    --

    Gamingmuseum.com: Give your 3D accelerator a rest.