Original Article Published by The Author in Yahoo Content Network as:
By Cesar Ortiz
By Cesar Ortiz
In July 21, 2011 in Google's own Blogger page there is an article signed by Damian Menscher, a security engineer at Google, describing how he identified that infected computers were sending search traffic through proxies to the search engine. When you do a search, the malware sends you to a Google proxy IP, then, just before doing the search, changes the search string and shows malware pay per click sites in a way that leads you to think that you are still being in the real Google.
Mr. Menscher explains the following “As we work to protect our users and their information, we sometimes discover unusual patterns of activity. Recently, we found some unusual search traffic while performing routine maintenance on one of our data centers. After collaborating with security engineers at several companies that were sending this modified traffic, we determined that the computers exhibiting this behavior were infected with a particular strain of malicious software, or “malware.” As a result of this discovery, today some people will see a prominent notification at the top of their Google web search results. We hope that by taking steps to notify users whose traffic is coming through these proxies, we can help them update their antivirus software and remove the infections”
Mr. Menscher explains the following “As we work to protect our users and their information, we sometimes discover unusual patterns of activity. Recently, we found some unusual search traffic while performing routine maintenance on one of our data centers. After collaborating with security engineers at several companies that were sending this modified traffic, we determined that the computers exhibiting this behavior were infected with a particular strain of malicious software, or “malware.” As a result of this discovery, today some people will see a prominent notification at the top of their Google web search results. We hope that by taking steps to notify users whose traffic is coming through these proxies, we can help them update their antivirus software and remove the infections”
The notification will ONLY show at the top of the main Google page and it will be a page wide window with a black bar at the top. This same bar was seen when Google was testing to launch their Google+ service recently. The body of the window is in yellow and it will read in black letters:
“Your computer appears to be infected.
It appears that your computer is infected with software that intercepts your connection to Google and other sites. Learn how to fix this [Link]”
This message is for real. More than two million infected computers have been detected worldwide so far. If you receive the message, Google has detected that your PC is infected with a malware that appears to have gotten onto users' computers from one of roughly a hundred variants of a fake antivirus, or "fake AV" software that has been in circulation for a while. This time, one of the variants uses the Google service to scam users, therefore prompting Google to step in. When users click on the “Learn how to fix this” link, they are taken to a real Google page that will help users to get rid of the AV virus.
Up to now everything is running smoothly, but, now comes the catch, we know that scammers will design or copy the warning window that Google has been running since July 21, 2011 and that in the “Learn how to fix this” link they will send users to malware scam trap. We can expect that Google will make sure that no one will be able to insert a fake message to replace the real one that they are posting in good faith, but no one can prevent hackers to insert a fake look alike window somewhere else, including a fake Google main page.
Users must be alert that when they connect with the Google main page the address bar will show the proper address such as http://www.google.com/ there will be variants because Google routes users according to their detected geographical location. Make sure you have your anti virus software up to date and that is running in real time mode and be aware that Google will post this warning message ONLY at the top of their main page. If it shows somewhere else, it is a scam, no matter how real it may look.
UPDATE By the Author August 31, 2011
Update-August 29, 2011 Researchers evade Google redirect notice
Staff Report: SC Magazine-
http://www.scmagazineus.com/researchers-evade-google-redirect-notice/article/210774/
Researchers evade Google redirect notice "The Burmese YGN hacker group on Sunday detailed a URL redirect vulnerability that bypasses Google's notification to users that they might be visiting a malicious site.The flaw exists in the way that Google checks redirected URLs against a blacklist of known malicious web sites.
The attacker would send a victim a proxy server link which redirected to a malicious URL and, when clicked, would verify if the landing website was blacklisted by Google, researchers said. If it was, the server would generate a second malicious URL to infect users."
This is exactly what I predicted in the article above on July 23, 2011.
1 comment:
Update-August 29, 2011 Researchers evade Google redirect notice
Staff Report: SC Magazine-
http://www.scmagazineus.com/researchers-evade-google-redirect-notice/article/210774/
Researchers evade Google redirect notice "The Burmese YGN hacker group on Sunday detailed a URL redirect vulnerability that bypasses Google's notification to users that they might be visiting a malicious site.The flaw exists in the way that Google checks redirected URLs against a blacklist of known malicious web sites.
The attacker would send a victim a proxy server link which redirected to a malicious URL and, when clicked, would verify if the landing website was blacklisted by Google, researchers said. If it was, the server would generate a second malicious URL to infect users."
This is exactly what I predicted in the article above on July 23, 2011.
Post a Comment