Google Warns Of Malware Redirecting To Its Search Results
Do a search on Google, and you might get an unexpected surprise. A big notice at the top of your results warning that your computer has been infected with malware.
Here’s an example of how it looks:
What malware? Produced by whom? Google’s not giving any details there yet, simply blogging:
This particular malware causes infected computers to send traffic to Google through a small number of intermediary servers called “proxies.” We hope that by taking steps to notify users whose traffic is coming through these proxies, we can help them update their antivirus software and remove the infections.
The blog post itself has the fairly innocuous title of “Using data to protect people from malware.”
This is malware so threatening, so menacing that Google does unprecedented above-the-search results warnings, and Google describes it as an exercise in data analysis? How about: “Warning: Your Computer May Be Infected & Here’s How To Fix It.”
The post also doesn’t mention that the malware is restricted to Windows computers, nor does the help page make this clear. Indeed, the “fix” that the help file talks about is to run an anti-virus program. It doesn’t say exactly what malware that software should detect, if any.
The help page does provide, if you drill down, some guidance that your Windows host file will be changed to apparently reference the IP address of 18.104.22.168 along with some others.
Ironically, doing a search for the IP address quickly suggests that Google is concerned about “Windows Protection Suite,” which one site describes as a fake anti-virus software program.
The IP address, by the way, appears to be Google’s own. The program, I’m guessing, is routing the traffic eventually to Google after monitoring it or logging it for whatever reasons it has.
If you get one of these notices on a Windows computer and don’t already run an anti-virus program, well, that’s as good as reason as any. But it would sure be better if Google provided some more details.
Postscript: A Google spokesperson tells me via email, after I asked why the particular malware wasn’t named:
We detected a large number of variants of the malware. As a result, naming is not so straight-forward. From a user’s perspective, it’s more important to understand that their computer is infected and that they should take steps to fix it. You may have noticed that there is a feedback form in our Help Center for people to report what they’ve found, and they can also ask questions about the results.
I also asked if we’d see more warnings like this going forward and was told:
We haven’t displayed this type of warning before, so we can’t say what we’ll do going forward. We came across this particular type of malware in the course of the work that’s described in the blog post, which is why we were able to take action in this case. As I mentioned, we realized we were in a position to use that information to help our users. Who knows if anyone else would have warned them?
The spokesperson also commented:
The title of your post is not quite accurate. The malware doesn’t redirect to Google’s search results, technically speaking. Something like “modifying traffic to its search results” would be more correct.
I’m uncertain, honestly, what else to change the title to. Originally I’d had the title of:
Google Warns Of Malware Changing Its Search Listings
That was clearly incorrect, and I fixed that a few minutes after the original post went up. There is malware that does alter Google’s search results. It’s a common question we get asked here at Search Engine Land, actually — why do my Google results look this odd way? Malware is often to blame.
That’s not what’s happening here. What is happening is unclear. This malware appears to be redirecting to Google itself, not necessarily its search results. But Google’s putting warnings into its search results, which suggests a search results connection of some type.
Bottom line. Malware isn’t new, nor have users of Windows computers been oblivious to it. Indeed, Windows itself will warn you of the need to protect against malware in various ways. I’m pretty sure Windows Defender even ships with Windows 7, or that Windows 7 at least warns you if you don’t have it installed.
Even if Windows Defender doesn’t detect this type of malware, it’s just not uncommon for Windows users to know they need to have anti-virus / malware detection software. It is uncommon, extremely uncommon, for Google to suddenly issue what seems to be an urgent warning about a particular type of malware.
Over at Krebs On Security, they appear to have interviewed the Google engineer who spotted the malware, which does suggest that the malware was indeed altering search results.