It's too bad that the malware folks in the world already use "your computer appears to be infected" messages to trick people into installing malicious software. Tomorrow, the bad guys will copy the format and appearance of Google's version of the message, to leverage the trust people have in Google. Perhaps Google needs something akin to the Yahoo personalized "sign-in seal" for moments like this?
I'm with Mecandes on this. For as long as I've been on the internet, there have been messages like this floating around that will actually GIVE you a virus. If I saw that message without reading this blogpost, I would assume the message was fake.
I agree, this is too much like those phishing virus/trojans that claim your computer is infected.
What it SHOULD say is:
Your computer is infected. Shut it down now, take it to your best geek buddy, buy him a venti nonfat tripple espresso, and ask HIM to fix it, because you can't trust links like this, and your judgment is impaired otherwise you'd never have gotten infected in the first place.
Thanks Google team! Keep improving the service... Sure, Mecandes and other commenters are right in that for lots of end users it is confusing as the bad guys also use a similar message. But it's always easier to comment on stuff, and at least this Google team is trying...
Now....If I was these dodgy people sending you via proxies, one of them would send you to a page that looked exactly like Google, with the message on and ask them to click here to remove the message. Pretty easy to even make the Google search work due to the APIs available....
In fact, I'd set up 100 pages exactly the same across hundreds of spammy domains so as soon as one got shut down, I could switch to another
I would remove the link "Learn how to fix this". Most people who know don't know how to remove malware, won't learn by reading a webpage. Malware developers will soon copy your google imagery transform that link in a malware link.If you have malware running in your computer, the best advice is to shut it down and take it to your best geeky friend to fix it! (Or pay for it!). (As aelfwyne said ...)
Is it also possible to notify the abuse@ address for the IP space? In certain networks (for example universities) this gives a better chance of the right system and user being traced and cleanup being done.
I run a computer repair shop and see this stuff all the time. So far, I for see this as "someone lighting a match and yelling fire". I have found a post from Google stating that it is simply altering the hosts file. This is very sort on details.
Where is the bug coming from? What put the line(s) in the hosts file?
All they are listing that I have found so far is the symptoms of the cold but not the cold. If anyone has any more details, please email me ASAP at [email protected]
Hey Damian, I'm a Xoogler (AdWords Risk) with an idea about this based on some things I've been seeing in my current industry. I love your work on this but would prefer to keep my input private, please email me at jackhanlon at gmail so we could speak more.
I’m glad I’m not the only one who sees a problem with this. It’s a good idea, but I think it’ll confuse your average user and may help SPREAD malware, doing little to eliminate it.
On one hand I’m inclined to agree with the previous poster who suggested that the link to fix the problem should be removed. On the other hand, I wondering if the notification bar is just a bad idea in general. I like what Google is trying to do, and I can see the good intentions, but it certainly doesn’t seem like it was thought through very well.
remember how these ppl got infected to begin with, was clicking on an a link telling them they were infected... that's who it's aimed at. Google is also far more trusted than most other sites anyway so it will definatly encourage ppl to try to do something about it.
Update: So far from what I am seeing, this thing is altering the Google proxy so that it sends you to a Malware site.
When you do a search, it sends you to the Google proxy IP then just before doing the search, changes the search string and lists the Malware sites in a way to let you think that your going to good sites.
Please correct me if I am wrong. I am still researching this and the more info the better.
On point three you are dealing with technicalities about where you place the warning on the Google page, and what it would take to compromise the warning on the Google page. True, the actual Google notice isn’t a risk to additional users. But what about fake notices that look like the Google alert on other web sites. Because this comes from Google, and people have some degree of trust in the Google brand, people will have less reluctance to click in the link in your notice.
Before if someone were to see a fake AV ad that associates itself with Google, it could be rejected immediately. But now, a fake AV add making that claim might seem more believable, because people will know that Google does in fact offer that service. Not only that, Google has established a visual design that furthers that degree of trust. This has never been the case before. Think of it from the view of an average web surfer who encounters a forged ad on some 3rd party web site. Sure, they’re not on the Google page, but hey, it looks like the Google Ad, It Says it’s from Google, and they know Google does this kind of thing (and may not know it’s only valid on the Google page). So it’s *click*, and game over.
I’m glad to hear you’ve helped hundreds of thousands of users, but I don't know that I'd go as far as saying that the notice is not a risk to additional users.
Mr. Lembo and othres, my extensive experience indicates that Malwarebytes AntiMalware (http://www,malwarebytes.org) is currently the best tool around for killing fake AV. In most cases it just runs and kills the fake. Sometimes it requires some trickery such as renaming the installer and/or executable. In extreme cases it requires manual fixes to re-enable safe mode before installing and running. I carry some .reg files with me; http://blog.didierstevens.com/2007/02/19/restoring-safe-mode-with-a-reg-file/.
I'm sorry to say this, but one way to get confronted with an attempt to install this Fake AV software is by browsing for picture results with Google. The pictures in the search result do not open the picture in question, but instead open a fake virus detection notice box and immediately start a fake scan of what seems to be your own hard drive and files. You can not close the Internet Explorer tab and you have to kill IE to get rid of it. If you fail to do so or follow through with what they tell you to do, you will get that Fake AV malware installed. It's time that Google does something about these fake picture found results that have been manipulated to land you on a malware site. It's also time that Microsoft changes IE so that it becomes less susceptible to these kind of attacks, but that counts for the other browsers as well.
1) Fake AV pages are rampant. The fact that they are on pages with odd URLS does not matter, people don't pay attention. Plus, there are lots of ways to hide the URL, or make it look reasonable.
2) Google is a terrific source of hacking data and always has been. Until they borked the svn server, google code held a list of known password drop boxes. At least a third, and probably more phished passwords transit Google. However, these are for non-Google hacked accounts. As soon as Google is somewhat threatened, though, they spring into action. With an ill-conceived plan. Not impressed, folks.
Very nice, but I think this should definately be made more public: If someone sees this message he might think it's fake. Why not post a notice on the normal Google start page about this feature? I think most people would appericiate this.
This is just an off the wall idea. I don't know how much of a load it would be on the servers but there are "blacklist" sites out there... I use WOT on my firefiox if you've never seen it... www.mywot.com
May a flag (red yellow green or something) when a link is on a blacklist?
I am planing something like this on a local access point that's in the works here
That link "Learn how to fix this" needs to be removed. I would not be surprised that the hackers have already made something that looks just like it with that link going to something malicious. A warning that the machine is compromised and they need the machine cleansed by a geek and new AV software installed is enough. Do not provide links and make that an established principle of these warnings.
Silly rabbits! Google isn't doing this to let the end user know that they might be infected. One commenter even pointed out the fact that a/v software can not remediate an unknown infection. Google is telling the attackers in a polite way to knock it off before google lays a smack down. I'm sure that the google team has been aware of this packet interception and manipulation for some time. They have collected the necessary identifying information and decided to play cat and mouse for fun. Google has resources that vastly overshadow even some governments. A group of hackers isn't a direct threat to google, hence the polite "Hey, we know who you are and what you're up to. Knock it off!"
This should surely help my business. One obstacle in winning new customers is that people just don't know their computers are infected. This may help to overcome that.
36 comments :
It's too bad that the malware folks in the world already use "your computer appears to be infected" messages to trick people into installing malicious software. Tomorrow, the bad guys will copy the format and appearance of Google's version of the message, to leverage the trust people have in Google. Perhaps Google needs something akin to the Yahoo personalized "sign-in seal" for moments like this?
I'm with Mecandes on this. For as long as I've been on the internet, there have been messages like this floating around that will actually GIVE you a virus. If I saw that message without reading this blogpost, I would assume the message was fake.
The difference is that this message is on the Google page, where as the 'fake' ones are typically in some banner or other shady webpage.
If malware is putting messages on your Google page telling you that you have malware, I say let them go for it.
I agree, this is too much like those phishing virus/trojans that claim your computer is infected.
What it SHOULD say is:
Your computer is infected. Shut it down now, take it to your best geek buddy, buy him a venti nonfat tripple espresso, and ask HIM to fix it, because you can't trust links like this, and your judgment is impaired otherwise you'd never have gotten infected in the first place.
Wait..."some people use it for harm and their own gain at the expense of others."
... gosh. I plan to stay alert for that.
Thanks Google team! Keep improving the service... Sure, Mecandes and other commenters are right in that for lots of end users it is confusing as the bad guys also use a similar message. But it's always easier to comment on stuff, and at least this Google team is trying...
Now....If I was these dodgy people sending you via proxies, one of them would send you to a page that looked exactly like Google, with the message on and ask them to click here to remove the message. Pretty easy to even make the Google search work due to the APIs available....
In fact, I'd set up 100 pages exactly the same across hundreds of spammy domains so as soon as one got shut down, I could switch to another
thankfully I'm not that way inclined
I would remove the link "Learn how to fix this". Most people who know don't know how to remove malware, won't learn by reading a webpage. Malware developers will soon copy your google imagery transform that link in a malware link.If you have malware running in your computer, the best advice is to shut it down and take it to your best geeky friend to fix it! (Or pay for it!). (As aelfwyne said ...)
They most certainly will fake it and those who do trust the fakes will do so without checking the URL.
Does this malware have a name?
Is it also possible to notify the abuse@ address for the IP space? In certain networks (for example universities) this gives a better chance of the right system and user being traced and cleanup being done.
This is stupid. Great idea, very, very poor execution. This is only going to confuse people. Ridiculous.
I run a computer repair shop and see this stuff all the time. So far, I for see this as "someone lighting a match and yelling fire". I have found a post from Google stating that it is simply altering the hosts file. This is very sort on details.
Where is the bug coming from?
What put the line(s) in the hosts file?
All they are listing that I have found so far is the symptoms of the cold but not the cold. If anyone has any more details, please email me ASAP at [email protected]
Hey Damian,
I'm a Xoogler (AdWords Risk) with an idea about this based on some things I've been seeing in my current industry. I love your work on this but would prefer to keep my input private, please email me at jackhanlon at gmail so we could speak more.
Kudos on the great work.
Best,
Jack
Does anyone of a list of the IP addresses of the malware proxies?
I’m glad I’m not the only one who sees a problem with this. It’s a good idea, but I think it’ll confuse your average user and may help SPREAD malware, doing little to eliminate it.
On one hand I’m inclined to agree with the previous poster who suggested that the link to fix the problem should be removed. On the other hand, I wondering if the notification bar is just a bad idea in general. I like what Google is trying to do, and I can see the good intentions, but it certainly doesn’t seem like it was thought through very well.
remember how these ppl got infected to begin with, was clicking on an a link telling them they were infected... that's who it's aimed at. Google is also far more trusted than most other sites anyway so it will definatly encourage ppl to try to do something about it.
I think this can only be positive.
The fact that people still get malware/viri to this day amazes me.
What do the attackers gain by sending Google traffic through proxies? Seems like a weird sort of attack.
Update: So far from what I am seeing, this thing is altering the Google proxy so that it sends you to a Malware site.
When you do a search, it sends you to the Google proxy IP then just before doing the search, changes the search string and lists the Malware sites in a way to let you think that your going to good sites.
Please correct me if I am wrong. I am still researching this and the more info the better.
@Lucid-
Some people still don't change their oil. What about people getting malware/viruses is surprising to you?
The pop-up, while nice that Google is trying to help, is at best vague and unhelpful for the very reasons others above have listed.
The biggest problem is not with the pop-up, but instead with the Blog Post itself. It says nothing.
What malware is it detecting?! What strain, give us the popular names that the security community is using for the malware.
There are literally hundreds of new malware/virii released into the wild every day.
You don't need to provide exact details in the pop-up but at least be complete with you research and dissemination of the information.
Thanks to everyone for the comments and discussion. I've updated the post with some additional details to address the most common questions.
On point three you are dealing with technicalities about where you place the warning on the Google page, and what it would take to compromise the warning on the Google page. True, the actual Google notice isn’t a risk to additional users. But what about fake notices that look like the Google alert on other web sites. Because this comes from Google, and people have some degree of trust in the Google brand, people will have less reluctance to click in the link in your notice.
Before if someone were to see a fake AV ad that associates itself with Google, it could be rejected immediately. But now, a fake AV add making that claim might seem more believable, because people will know that Google does in fact offer that service. Not only that, Google has established a visual design that furthers that degree of trust. This has never been the case before. Think of it from the view of an average web surfer who encounters a forged ad on some 3rd party web site. Sure, they’re not on the Google page, but hey, it looks like the Google Ad, It Says it’s from Google, and they know Google does this kind of thing (and may not know it’s only valid on the Google page). So it’s *click*, and game over.
I’m glad to hear you’ve helped hundreds of thousands of users, but I don't know that I'd go as far as saying that the notice is not a risk to additional users.
Mr. Lembo and othres, my extensive experience indicates that Malwarebytes AntiMalware (http://www,malwarebytes.org) is currently the best tool around for killing fake AV. In most cases it just runs and kills the fake. Sometimes it requires some trickery such as renaming the installer and/or executable. In extreme cases it requires manual fixes to re-enable safe mode before installing and running. I carry some .reg files with me; http://blog.didierstevens.com/2007/02/19/restoring-safe-mode-with-a-reg-file/.
(links purposefully not active)
I'm sorry to say this, but one way to get confronted with an attempt to install this Fake AV software is by browsing for picture results with Google. The pictures in the search result do not open the picture in question, but instead open a fake virus detection notice box and immediately start a fake scan of what seems to be your own hard drive and files. You can not close the Internet Explorer tab and you have to kill IE to get rid of it. If you fail to do so or follow through with what they tell you to do, you will get that Fake AV malware installed. It's time that Google does something about these fake picture found results that have been manipulated to land you on a malware site. It's also time that Microsoft changes IE so that it becomes less susceptible to these kind of attacks, but that counts for the other browsers as well.
Amnon, I have seen that 1000s of times. Have you found it to be only IE and if so what version?
At first i got scared. "I said Google showing such a message" then thanx to this post. My doubts were clear.
1) Fake AV pages are rampant. The fact that they are on pages with odd URLS does not matter, people don't pay attention. Plus, there are lots of ways to hide the URL, or make it look reasonable.
2) Google is a terrific source of hacking data and always has been. Until they borked the svn server, google code held a list of known password drop boxes. At least a third, and probably more phished passwords transit Google. However, these are for non-Google hacked accounts. As soon as Google is somewhat threatened, though, they spring into action. With an ill-conceived plan. Not impressed, folks.
Very nice, but I think this should definately be made more public: If someone sees this message he might think it's fake.
Why not post a notice on the normal Google start page about this feature?
I think most people would appericiate this.
This is just an off the wall idea. I don't know how much of a load it would be on the servers but there are "blacklist" sites out there... I use WOT on my firefiox if you've never seen it... www.mywot.com
May a flag (red yellow green or something) when a link is on a blacklist?
I am planing something like this on a local access point that's in the works here
Can google provide a Chrome USB stick, that user can boot his windows computer off of, so that computer becomes a Chrome computer.
That link "Learn how to fix this" needs to be removed. I would not be surprised that the hackers have already made something that looks just like it with that link going to something malicious. A warning that the machine is compromised and they need the machine cleansed by a geek and new AV software installed is enough. Do not provide links and make that an established principle of these warnings.
Silly rabbits! Google isn't doing this to let the end user know that they might be infected. One commenter even pointed out the fact that a/v software can not remediate an unknown infection. Google is telling the attackers in a polite way to knock it off before google lays a smack down. I'm sure that the google team has been aware of this packet interception and manipulation for some time. They have collected the necessary identifying information and decided to play cat and mouse for fun. Google has resources that vastly overshadow even some governments. A group of hackers isn't a direct threat to google, hence the polite "Hey, we know who you are and what you're up to. Knock it off!"
This should surely help my business. One obstacle in winning new customers is that people just don't know their computers are infected. This may help to overcome that.
my google is hacked.
whenever i search for any thing on google.co.uk it goes on to a different sometimes dangerous site. please help.
Post a Comment