Google to show malware warning in search results

20 Jul 2011

Google isn’t adding antivirus to the list of software it provides, but the company has begun telling some users if their computers have been infected by displaying a message on the search page.

From yesterday, some people using Google’s search engine will see a warning message saying: “It appears that your computer is infected with software that intercepts your connection to Google and other sites”. It then links to a page with information about how to fix the problem.

Writing on Google’s official blog, security engineer Damian Menscher said: “This particular malware causes infected computers to send traffic to Google through a small number of intermediary servers called ‘proxies’. We hope that by taking steps to notify users whose traffic is coming through these proxies, we can help them update their antivirus software and remove the infections.”

Explaining how this feature came about, Menscher said “unusual patterns of activity” in search traffic emerged during routine maintenance at one of Google’s data centres. On closer inspection and after collaborating with security engineers at several companies that were sending this modified traffic, Google determined that computers behaving this way were infected with a particular strain of malicious software.

Google didn’t identify what strain of malware that was, although there are several possible explanations for this. One is simply to avoid confusing computer users by diluting the message. Another is that malware names, with a few exceptions, are no longer a very useful guide. James Lyne, technology strategy and security expert of Sophos, said on a recent visit to Dublin that naming conventions for malware have fallen by the wayside to an extent because cyber criminals crank out so much of it, and because the variations have sufficient differences in the underlying code to make it harder to trace its roots back to one ‘family’.

Commentary below the post pointed out that Google’s tactic, though helpful, is likely to be hijacked by scammers who will use similar wording and messages to trick people into downloading fake antivirus software or directing them to infected sites.

Gordon Smith was a contributor to Silicon Republic