Google: Your Computer Appears to be Infected

 Google has announced they will begin displaying an alert at the top of a search results page when the search appears to result from a particular bit of malware. The alert warning reads "your computer appears to be infected" and provides a link for assistance.

According to Google, the initiative took place after engineers performing routine database analysis noticed unusual traffic patterns, tracked it to a specific strain of malware, and subsequently implemented the alerting. Google hasn't explicitly stated which malware was responsible, but the help file the Google alert points to discusses HOSTS file modification and, specifically, the address 74.125.45.100.

The HOSTS file supersedes DNS for domain name to IP address resolution and thus is a favorite target of malware authors. For example, by modifying the HOSTS file on your computer, attackers can ensure that any attempt to access www.google.com will instead get directed to their own server. In the redirect case that Google investigated, that redirect was apparently through 74.125.45.100 - an IP address affiliated with scareware.

Because a rogue server is actually handling the Google search traffic, attackers are able to insert malicious search results which appear (to the infected user) to be from Google, but in fact are resulting from the rogue server (in this case, 74.125.45.100). In other words, the results you see may not be the results that Google intended.

This ability to manipulate Google search results (or any Web page) via such a redirect means that ultimately it's possible the attackers could also remove the "Your computer appears to be infected" Google alert. Thus while it's great that Google is taking this step to warn users, it's not clear from the Google blog post or the help file as to whether the alerting mechanism is any more foolproof.

The best way to check for such redirects is to examine the HOSTS file yourself:

Windows users, see How to Edit the HOSTS File
Mac users, see How to Edit the HOSTS File in Mac OS X
Although the Google help file mentions only the 74.125.45.100 IP address, there are many other IP addresses reportedly involved with malicious Google search redirects, including the following:

74.55.47.101
89.149.210.113
96.44.181.245
69.31.81.22
69.93.33.159
64.86.17.32
76.73.37.251
84.16.244.61
89.149.225.48
209.97.213.153
178.17.165.3
67.205.118.186
78.159.110.50
89.149.210.170
67.205.118.177
67.205.118.178
212.95.49.93

Note this is not an exhaustive list. Any unexpected or unauthorized IP to domain mapping in your HOSTS file should be treated with suspicion.