Google discovers more than a million infected PCs

Infosecurity notes this situation is caused by the fact that Google load balances its search engine requests across its global network, meaning that almost all search requests are re-routed from Google's front end systems to one of its many data centres around the world.

When one of its front end systems is taken offline, no search requests would then be forwarded to the relevant data centres.

On investigation, Google's security engineer Damian Menscher was able to spot a network of user computers whose web browser was pinging the data centres directly, presumably by a piece of malware that generates poisoned search routines.

According to the Krebs on Security newswire, Menscher found that the `offline' data centre was still receiving thousands of requests per second.

Interestingly, security researcher Brian Krebs says that the malware was designed to hijack results when users search for keywords at Google.com and other major search engines.

"Ironically, the traffic wasn't search traffic at all: The malware instructed host PCs to periodically ping a specific Google internet address to check whether the systems were online", he says in his latest security posting.

Menscher told Krebs that the malware apparently arrives on victim desktops as scareware (fake AV) programs and he suspects that the fake AV program either ships with - or later downloads - the search hijacker component code.

Krebs goes on to say that the malware intercepts traffic destined for high profile domains like google.com, yahoo.com and bing.com, and routes it through intermediate hosts controlled by the attackers.

The proxies, he asserts, are used to modify the search results that a victim sees for any given search term, and to redirect traffic to pay-per-click schemes that pay for traffic to specific web sites.

"Fortunately, the traffic generated by the malware has a unique signature that Google is able to use to alert victims" he says, adding that Google is also placing a prominent notification at the top of victims' search results that it includes links to resources to help remove the infection.

Google, he concludes, should be applauded for alerting users, but the hard work will be in the clean-up as search hijackers are notorious for blocking users from visiting antivirus web sites or other popular sources of malware removal tools.

 

What’s Hot on Infosecurity Magazine?