The Recycle Bin

A repository of comments, code, and opinions.

Posts Tagged ‘proxy

Google’s Malware Detection: Worthless at Best

with 2 comments

Dangerous at worst.

Google has rolled out a new feature where it attempts to inform people that they think they are browsing from malware infected PCs.  It’s a noble idea, and I don’t want to rag on them too much, but it is also a terrible idea.  Most of the time I would say something like ‘at least someone is trying.’  But I can’t with this one.  There so many problems with the idea in general, and their advice is so unbelievably wrong it borders on malicious.

How It Works

When you do a search on Google.com, Google will look at the IP address of the incoming web request, and compare it to a list of IP address that known malicious proxies use.  If it’s on that list, your results page will show a banner that says something like: “Your computer appears to be infected” and then link you to their wonderfully ignorant help page: http://www.google.com/support/websearch/bin/answer.py?answer=1182191

When you do a search on Google, your web browser is sending a request to Google’s servers.  When Google receives this request, one of the fields in it is your computers IP address – think of it as a return address on an envelope.  Malware is able to modify your machine so that every web request you make is routed to one of their “proxy” servers.  Once the request hits their server, they can read it, modify it, or do whatever, and then forward it on to the site you were trying to reach.  Now, when that site gets the request (Google in this case) the return address isn’t your computer, but instead the malware’s proxy.  Google will do the search, send the page to the proxy, and the proxy will send it back to you.  You likely have no idea that this proxy is siphoning your requests and watching everything you do.  I made a slideshow demonstrating the concept:

So what Google is attempting to do here is look at the IP address of the request and if it is from a known malicious proxy, include this malware warning banner at the top of the results.

What’s Wrong With it?

Look at the “Malware Response” part of the slides, see how the response also gets routed through the malware proxy?  That proxy is able to edit the page that Google sends back and is in complete control of the content.  They could replace the banner to say “You’re computer is infected with malware, click here to download antivirus software” and then link them to a fake anti-virus Trojan that could extort money.  Every link on this page could be modified to point to more Trojans: http://www.google.com/support/websearch/bin/answer.py?answer=8091.  How many users are going to think that this fake anti virus program is legitimate now that Google is pointing them there?   This just shows a complete lack of technical understand by Google, and advice from a source like that is always the worst type of advice.

What Should They Have Done?

Nothing.  There is absolutely nothing a remote website can do if your computer has been modified by malware.  A remote site cannot even accurately warn you you are infected because the proxy can just remove the warning before the page reaches your machine.  All of the advice given here to fix your machine once it is infected is as worthless as snake oil.  The only thing you can do to remove malware from an already infected machine is to reformat it and start over.  If you are lucky and have a backup that you trust, you could try reverting to that.

Please, please, please, please please do not click on any banner or link that tells you that your computer is infected.  This has been common advice to battle fake antivirus Trojans for a while now, but apparently Google wasn’t listening.

Written by Nathan

July 24, 2011 at 11:52 pm

Posted in Security, Web

Tagged with , , ,