Google Goes Direct With Malware Warnings
Google this week announced that it will return a malware notice with search results for users deemed to have infected systems.
Google took an active stance after finding evidence on its own servers that malicious code apparently is redirecting search queries for some users. Compromised users will see a yellow banner at the top of the search results that warns, "Your computer appears to be infected," and includes a link to information on cleaning up the infection.
Although the role of Internet service providers in protecting customers has been debated for years, this is one of the early times a third-party content provider has taken upon itself the responsibility for alerting customers of infections.
"Google is to be applauded," said Chris Larsen, senior malware researcher at Blue Coat Systems.
But that does not mean there is no downside. Security alerts from fake anti-virus vendors have become a popular vector for luring victims to download worthless or malicious software, so there is the possibility that users will be suspicious of the Google alert, or that the bad guys will take advantage of it by counterfeiting it.
Google is aware of the risk. "We thought about this, too, which is why the notice appears only at the top of our search results page," said security engineer Damian Menscher in a company blog post announcing the program. "Falsifying the message on this page would require prior compromise of [the user's] computer, so the notice is not a risk to additional users."
Google announced the program on Tuesday after discovering what it called an unusual pattern of activity while doing maintenance on a server. The unusual traffic was being routed to Google through a small number of proxy servers.
"After collaborating with security engineers at several companies that were sending this modified traffic, we determined that the computers exhibiting this behavior were infected with a particular strain of malicious software, or 'malware,'" Menscher wrote in the blog. "As a result of this discovery, today some people will see a prominent notification at the top of their Google Web search results."
Menscher wrote that the malware apparently was delivered to victims' computers through a fake anti-virus scheme and that it has been in circulation for a while. (Although Google issues the alerts with search results, the malware has nothing to do with searches.) As many as several million machines could be infected.
Advice offered to users includes installing and updating anti-virus software, scanning your computer and removing any detected malware. For users without anti-virus software, there is a warning to avoid fake anti-virus tools.
"Common examples that you should not install include 'My Security Shield,' 'Security Master AV' and 'CleanUp Antivirus.' Before choosing to install any software, look online for reviews or forum posts to make sure that the software is not a malicious program."
Google has not released details of the malware, but Larsen speculated that by redirecting Google requests through a proxy, the search query could be manipulated to produce results that could direct traffic to selected sites. Because the query would be manipulated before it reached Google, it would not require gaming the search engine itself or directly manipulating the results.
But the validity of its results is Google's bread and butter, and the company is actively warning users of the problem.
Larsen said that the Google warning is not foolproof and could be exploited by bad guys.
"We would expect that, yes, someone eventually will game the system," he said. Alerts that appear in the browser can be easily abused, but this avenue is the only one open to Google and the odds are the genuine alerts will help more people.
"The balance is, overall, this is a good thing," Larsen said, "They are doing the best they can and it's a valuable service."
William Jackson is the senior writer for Government Computer News (GCN.com).