Google: "Your Computer Appears to Be Infected" This Warning is Not a Scam, But, Beware of Where it Shows and What May Come Next

Google's Virus Warning is NOT a Scam, But, Look Out for Future Postings, They May Be Look-alike Scams

By Cesar Ortiz - (Article first published in Yahoo! Contributors/ABC News). This article is based on a Google blog page posting, this issue has been covered in many publications as a news item, including my own blog and my own article published worldwide on Yahoo!/ABC News. In this opinion I express my concern of what will be coming next as a result of Google bringing up the subject matter in the way they did. In other words, Google is using the same procedure that scammers use every day to get users to link to malware,but this time the link they will click is a real help page. Scammers will copy-cat the virus warning and hit the users with a malware link instead of a help page.

We received a Google Blog posting from Damian Menscher, a security engineer at Google, describing how he identified that infected computers were sending search traffic through proxies to the search engine. When you do a search, it sends you to a Google proxy IP then, just before doing the search, changes the search string and shows malware pay per click sites in a very "professional looking" graphics to trick you to think that you are going to legitimate sites.

Mr. Menscher explains the following "As we work to protect our users and their information, we sometimes discover unusual patterns of activity. Recently, we found some unusual search traffic while performing routine maintenance on one of our data centers. After collaborating with security engineers at several companies that were sending this modified traffic, we determined that the computers exhibiting this behavior were infected with a particular strain of malicious software, or "malware."

Google added that "As a result of this discovery, today some people will see a prominent notification at the top of their Google web search results. We hope that by taking steps to notify users whose traffic is coming through these proxies, we can help them update their antivirus software and remove the infections"

This is a Google's first. They had never done this type of notification before. The notification will ONLY show at the top of the main Google page and it will be a page wide window with a black bar at the top. A similar black bar was seen when Google was testing to launch their Google+ service recently. The body of the window is in yellow and it will read in black letters:
"Your computer appears to be infected.
It appears that your computer is infected with software that intercepts your connection to Google and other sites. Learn how to fix this [Link]"

This message is for real. More than two million computers have been infected worldwide so far. If your receive the message, Google has detected that your PC is infected with a malware that appears to have gotten onto users' computers from one of approximately a hundred variants of a fake antivirus, or "fake AV" software that has been in circulation for some time. This time, one of the variants uses the Google service to scam users, therefore prompting Google to step in. When users click on the "Learn how to fix this" link, they are taken to a real Google page that will help users to get rid of the AV virus.

Up to now everything is running smoothly, but, now comes the catch, we know that scammers will design or copy the warning window that Goggle has been running since July 21, 2011 and that in the "Learn how to fix this" link in the fake window they will send users to an scam malware page. We can expect that Google will make sure that no one will be able to insert a fake message to replace the real one that they are posting in good faith, but no one can prevent hackers to insert a fake look alike window, with a malicious link, somewhere else, including a full fake Google main page.

Users must be alert that when they connect with the Google main page the address bar will show the proper address such as http://www.google.com/. There will be variants because Google routes users according to their detected geographical location. Make sure you have your anti virus software up to date and that is running in real time mode and be aware that Google will post this warning message ONLY at the top of their main page. If it shows somewhere else, it is a scam, no matter how real it may look.

How Google Tracks Apple iPhone Users Browsing

By Cesar Ortiz -  Google and other advertising companies have been following iPhone and Apple users as they browse the Web, even though Apple’s Safari Web browser is set to block such tracking by default. By default, Apple’s Safari browser accepts cookies only from sites that a user visits; these cookies can help the site retain logins or other information. Safari generally blocks cookies that come from elsewhere, but Google, Vibrant, MIG, and PointRoll circumvented Safari cookie blocking, according to tweets by Stanford researcher Jonathan Mayer and his subsequent Wall Street Journal article, and to related research done by the Wall Street Journal Staff.

When a user “googles” contents related to sites that have Google generated advertising in the web and clicks for anything related in the search engine results, it starts a user tracking sequence. As long as a user clicks in the results for any reason, Google detects the clicks using their code embedded in their “+1” button in the browser.

In software development terminology, the word container is used to describe any component that can contain other components inside.  Examples of containers include Java applets, frames and windows. Some are visible, others are not. In our scenario it is a frame with an invisible form to be filled out. Google's invisible container is called “iframe” (InLine FRAME).

This iframe structure is very common in the industry and allows content from one web site to be embedded into another. As a general rule iframes are visible windows or ads. As we have explained before, In Google’s scenario iframe is created as an invisible container with a “form to be filled out”. The invisible iframe that was received in the user’s computers sent a flag to Google that identified the user as an Apple Safari user in a PC, laptop, iPhone or iPad Touch. This is not usual. When someone wants you to fill a form, it is sent as a visible form, of course. But this technique tricked Safari.

When Google received the ID flag identifying Safari as the browser, it sent the invisible form to the user device. The user did not see the form, let alone fill it out, it was blank anyway, but Google code sent the blank invisible form to the user device Safari browser nevertheless. Once the form was sent, Safari behaved as though the user had filled something out intentionally, and the browser allowed Google to put a cookie on the user’s machine. One cookie, in invisible form was sent back blank and the other invisible cookie form had user traffic data capture code (not personal data). The cookies were temporary; the blank one was set to expire in 12 hours, and the other expired in 24 hours. The end result is that users wind up visiting sites that they did not selected.

Google’s Rachel Whetstone said the temporary cookie served to create a “temporary communication link between Safari browsers and Google’s servers.” She said “the goal was to ensure that the information passing between the user’s Safari browser and Google’s servers was anonymous–effectively creating a barrier between a user’s personal information and the web content they browse”. Google said the company tried to design the +1 ad system to protect people’s privacy and did not anticipate that it would enable tracking cookies to be placed on user’s computers.

An Apple spokesman said: “We are aware that some third parties are circumventing Safari’s privacy features and we are working to put a stop to it.” An update to Safari has closed the loophole that allows cookies to be set after the automatic submission of invisible forms. Future public versions of Safari could incorporate that update.

Google: “ Your Computer Appears To Be Infected ” Warning is Not a Scam, but, Beware Of Where It Shows And What May Come Next

Original Article Published by The Author in Yahoo Content Network as:

Google: “ Your Computer Appears To Be Infected ” Warning is Not a Scam, but, Beware Of Where It Shows And What MayCome Next.

By Cesar Ortiz

In July 21, 2011 in Google's own Blogger page there is an article signed by Damian Menscher, a security engineer at Google, describing how he identified that infected computers were sending search traffic through proxies to the search engine. When you do a search, the malware sends you to a Google proxy IP, then, just before doing the search, changes the search string and shows malware pay per click sites in a way that leads you to think that you are still being in the real Google.

Mr. Menscher explains the following “As we work to protect our users and their information, we sometimes discover unusual patterns of activity. Recently, we found some unusual search traffic while performing routine maintenance on one of our data centers. After collaborating with security engineers at several companies that were sending this modified traffic, we determined that the computers exhibiting this behavior were infected with a particular strain of malicious software, or “malware.” As a result of this discovery, today some people will see a prominent notification at the top of their Google web search results. We hope that by taking steps to notify users whose traffic is coming through these proxies, we can help them update their antivirus software and remove the infections”

The notification will ONLY show at the top of the main Google page and it will be a page wide window with a black bar at the top. This same bar was seen when Google was testing to launch their Google+ service recently. The body of the window is in yellow and it will read in black letters:

“Your computer appears to be infected.
It appears that your computer is infected with software that intercepts your connection to Google and other sites. Learn how to fix this [Link]”

This message is for real. More than two million infected computers have been detected worldwide so far. If you receive the message, Google has detected that your PC is infected with a malware that appears to have gotten onto users' computers from one of roughly a hundred variants of a fake antivirus, or "fake AV" software that has been in circulation for a while. This time, one of the variants uses the Google service to scam users, therefore prompting Google to step in. When users click on the “Learn how to fix this” link, they are taken to a real Google page that will help users to get rid of the AV virus.

Up to now everything is running smoothly, but, now comes the catch, we know that scammers will design or copy the warning window that Google has been running since July 21, 2011 and that in the “Learn how to fix this” link they will send users to malware scam trap. We can expect that Google will make sure that no one will be able to insert a fake message to replace the real one that they are posting in good faith, but no one can prevent hackers to insert a fake look alike window somewhere else, including a fake Google main page.

Users must be alert that when they connect with the Google main page the address bar will show the proper address such as http://www.google.com/  there will be variants because Google routes users according to their detected geographical location. Make sure you have your anti virus software up to date and that is running in real time mode and be aware that Google will post this warning message ONLY at the top of their main page. If it shows somewhere else, it is a scam, no matter how real it may look.

UPDATE By the Author August 31, 2011

Update-August 29, 2011 Researchers evade Google redirect notice
Staff Report: SC Magazine-

http://www.scmagazineus.com/researchers-evade-google-redirect-notice/article/210774/

Researchers evade Google redirect notice "The Burmese YGN hacker group on Sunday detailed a URL redirect vulnerability that bypasses Google's notification to users that they might be visiting a malicious site.The flaw exists in the way that Google checks redirected URLs against a blacklist of known malicious web sites.
The attacker would send a victim a proxy server link which redirected to a malicious URL and, when clicked, would verify if the landing website was blacklisted by Google, researchers said. If it was, the server would generate a second malicious URL to infect users."

This is exactly what I predicted in the article above on July 23, 2011.